Universidad San Juan De La Cruz ( San Jose International Division) Analysis of framework for allocating responsibilities for various security measures within outsourcing principles in Security Management Systems Thesis submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Information Technology Management with an emphasis of Security Management Systems April 1th 2013 By Rohit Kumar Nanduri I hereby declare that I am the author of this dissertation. security management system Page 1 of 58 I hereby authorize Universidad San Juan De La Cruz to allow the usage of this dissertation only for scholarly research. I further Universidad San Juan De La Cruz to use my dissertation only within the university for research purposes only and not for other Institutions. Rohit Kumar Nanduri Security Management Systems security management system Page 2 of 58 Abstract This paper presents a generalized framework for allocating responsibilities for various security functions within a framework is based on the outsourcing principles contained within ISO 17799:2000 and divides work along the lines of a risk management structure proposed in ISO13335-3:1998. The paper also illustrates how the risk management framework proposed conforms to the requirements of ISO 17799:2000. The conclusions are that business control over risk management decisions cannot be outsourced. Whilst Information Security can be maintained in an outsourced environment, this requires a clear delineation of responsibilities between the business and the outsourcer. Countermeasures should be focused not only on security measures, but also being balanced towards needs of business in day to day operations. security countermeasures have broad goal of adjusting the behaviour of potential threat actors that they do not pose threat to the organisation. Implementation objectives and strategies include: • Control access to the target, denying access to possible threat actors • Where possible, deter threat actors from acting • Detect any threat action • Access what has been detected • Respond to any active threat action Minimize any impediment to normal business operations security management system Page 3 of 58 security management system Page 4 of 58 Acknowledgment • I would like to mention my grandfather Desiraju Lakshman Rao who is deeply revered by me even no and has instilled education in myself and guided never to give up what you set out to aspire to become in education and professional environment in oneself. • almighty himself to finish my dissertation and commence new start in life, which endeavours me to seek more knowledge, versatility and hunger for quest in knowledge based in Information Technology. Moreover depth of my thesis has given broad based understanding subject involved. Rohit Kumar Nanduri security management system Page 5 of 58 security management system Page 6 of 58 1. Chapter 1: Introduction Problem Statement In the current IT environment it is becoming increasingly rare to find an organization that fully owns and operates all parts of its IT operations. From network to applications to business processes, it seems that all parts of the business have become a candidate for outsourcing in one form or another. However, despite the increasing reliance on external providers to supply critical parts of the IT organization, Information Security has been one area that has been slow to react to the increased complexity that outsourcing places on the organization’s Information Security Management Systems. Indeed, it is only recently that information security has become recognized as a candidate for outsourcing itself. This paper presents framework is presented that outlines an appropriate division of roles and responsibilities for managing an organization’s information security risks within an outsourced environment. 2. Security Principles 1. Outsourcing of critical IT infrastructure has been identified as being of particular concern to regulatory authorities 1 due to the amount of sensitive information that 0F is being placed in the hands of entities external to that of the organization nominally entrusted with its care. This has been recognized within section 4.3 of the Code of Practice for Information Management 2. 1F (http://www.privacy.gov.au/publications/IS14_01.pdf (Accessed on 3/10/2011. (Article published in March 2002) 1 2 APRA Insight (http://www.privacy.gov.au/publications/IS14_01.pdf) ISO 17799 security management system Page 7 of 58 This standard defines a set of principles that should be present within outsourcing contracts. A contract with an outsourcer should contain reference to: 1. How any legal requirements are to be addressed, for instance specific data requirements for maintaining the confidentiality and integrity of any personal details 3; 2F 2. The arrangements that are in place to ensure that all parties are aware of their security responsibilities, this must include provisions for any sub-contractors that may be employed by the outsourcer; 3. How the confidentiality, integrity and availability of organizational assets are going to be maintained; 4. Those physical and logical controls which are used to ensure that access to organizational business information is restricted appropriately 4; 3F 5. How service is to be maintained in the event of a disaster; 6. The physical security measures put in place to protect the organization’s assets; and 7. The right of audit. Whilst these principles provide a good foundation for ensuring that Information Security is being addressed in an outsourcing contract, this does not provide sufficient detail to ensure that Information Security is being managed appropriately. The remainder of this 1.Privacy Obligations for Government Contracts (Accessed on 3/10/2011) ((http://www.privacy.gov.au/publications/IS14_01.pdf) 2.Information security Management systems (ISMS), BSI Standard 100-1, version 1.5 May 2008 (http://www.bsi.bund.de/. Accessed on 5/10/2012) security management system Page 8 of 58 paper sets out a generalized model for an Information Security Management System (ISMS) for use when parts of the IT infrastructure have been outsourced. 1.3 Target group The thesis is directly aimed at IT operations and information Security as well as IT security Officers, experts, consultants and interested personnel who form the basis of enacting Information security within mainstream organisations that are medium sized, and works towards ensuring ongoing development across all developmental sectors in the information super highway. 1.4 Application Using ISO standards describes information security or (ISMS) is formulated to gather areas of development towards defining key objectives in coordinating essential management techniques which heeds importance in growth where security is concerned in sufficing current objectives given at hand. (http://www.bsi.bund.de/) Accessed on 5/10/2011 “Security management system and information security seeks and look towards specific administrational level of an institution should use to comprehensibly manage the tasks and activities aimed at achieving information security within all sectors of work. (http://www.bsi.bund.de/) Accessed on 5/10/2012. Information security is used in conjunction in defining key attributes in contextual practises which aims to substantiate towards how security should me managed and in coordination of specific concentration which is security management systems. security management system Page 9 of 58 The BSI standard provides specific key criteria when selecting standards. They are as follows What are the success factors with information security management? How can the IT security process be managed and monitored by the management responsible for this? How are security objectives and an appropriate IT security strategy Developed? How are IT security measures selected and an IT security policy drawn up? How can an achieved level of security be maintained and improved? (http://www.bsi.bund.de/ Information Security Management Systems (ISMS),BSI Standard 100-1, Version 1.5 May 2008,( Accessed on 5/10/2012) Cohort of consensus is defining the process towards standards which hold key importance towards strategies on security management systems be it the following Governmental Private Sector Not for Profit organisations Charitable trust organisations SME’S B2B sectors “Standard security measures for practical implementation of the appropriate Level of IT security are recommended in the Corporate Level within German Mainstream organisations” (http://www.bsi.bund.de/ Information Security security management system Page 10 of 58 Management Systems (ISMS),BSI Standard 100-1, Version 1.5 May 2008,( Accessed on 5/10/2012) 3. Risk Management/ Risk Analysis When the decision is made to outsource some or all of an organization’s IT functions, it is important to ensure that an appropriate risk management strategy is in place to ensure that Information Security is maintained. One of the greatest challenges is how to combine the risk and security management strategies of two separate organizations to ensure that the confidentiality, integrity and availability of the organizations business assets are maintained. security management system Page 11 of 58 Figure1: Balance Delivery with Liability (http://www.ittoday.info/Articles/CIO-Risk/CIO-Risk.htm.) ( Accessed on 5/10/2011) Risk Analysis Forms basis towards getting hold towards key criteria and to validate success rate into stages of planning stages, which eventually will lead towards migitating well balanced coordinated strategies which forms basis of cost base analysis in projects directed in security management systems in risk management and quantitative in impact of project security management system Page 12 of 58 analysis. Risk analysis is forecasted to analysis phase in SDLC in current lifecycle stages. Figure 1. Systems development lifecycle (SDLC) chart (http://www.infosectoday.com/Articles/Intro_Risk_Analysis.htm. (Accessed on 5/10/2012) Analysis towards risk is foremost of the epicentre of forecasting areas of allocating necessary resources, requiring manpower through use of demand and supply of economic cost benefit analysis in getting mere recognition status in project funding in starting stages. security management system Page 13 of 58 Figure1. Risk Analysis Table (http://www.infosectoday.com/Articles/Intro_Risk_Analysis.htm) Accessed on 5/10/2012 Organisations which define scope of project must refer to organisation stakeholder criteria measures to get an understanding to keeping informed to stakeholders and stakeholder management who decide entity of financial resources and availability of resources needed to procure day to day operational measures to staff necessary requirements to “ Software Development groups typically concentrate primarily on delivering functionality and meeting schedules because they perceive that management priorities place these goals far ahead of application security and regulatory compliance.” (http://web.securityinnovation.com/whitepaper-library) Accessed on 5/10/2012 Development leads to giving good model delivery in management which emphasize nature getting things across in towards compliance regulations. “ Counteract this tendency, software development groups need guidance from management on topics such as: security management system Page 14 of 58 • The importance management places on data security and compliance relative to other priorities. • The direct impact software applications have on data security risks • The applicability and relative importance of many governmental agencies like federal, state and international regulations and industry standards. • The business implications of not meeting compliance mandates • The potential impact on business of different types of data breaches and attacks on business systems. ((http://web.securityinnovation.com/whitepaper-library) Accessed on 5/10/2012 Security by all means is forefront to creating strategies and implementing virtual teams and also group teams in coordination movement in putting delivery models in place which in turn resorts to 24/7 constant monitoring, if and when attacks of security mgmt. systems encounter problems. Corporate organisations resort to cohorts of teams The seven principles outlined in provide general guidance as to the types of issues that should be present in outsourcing contracts however, the principles themselves do not provide any clues as to how this should be accomplished. • The model presented in section security management system Page 15 of 58 Figure 1. Different modeling techniques to address each threat risk and risk type are combined to augment the more conventional application testing approach. guidance as to how the various components of information security management can be divided between the business and its outsource provider(s). In section 3.2 it is shown how this model addresses the ISO 17799 outsourcing principles. 1. Responsibilities One of the principals in The Standard i states “arrangements will be in place to 16F ensure that all parties involved in the outsourcing, including subcontractors, are aware of their security responsibilities”. The Guidelines for the Management of IT Security (GMITS) part 3 ii defines a structure for managing risk within an 17F security management system Page 16 of 58 organization. This model can be adapted to an outsourcing situation. This breakdown is shown in Figure 1 - Division of Responsibilities. The diagram is adapted from GMITS Part 2 5 with shading added by the author to 4F indicate division of responsibility as appropriate to ensure that risk management responsibilities are appropriately allocated between the outsourcer and the business. 1. Strategy It is important that Business retain control and responsibility for IT Security Objectives and Strategy. The IT Security Objectives define level of risk that is acceptable to the Business and the Strategy defines how the business will remain within these risk parameters. security management system Page 17 of 58 http://www.infosectoday.com/Articles/Security_Metrics_Overview.htm (Accessed on 3/10/2012) Retaining control over this function ensures that the outsourcer has a defined goal to work towards will in turn will assist in the success of the overall outsourcing venture 6. 5F 2. Risk Management An important component in the management of risks to business assets is the selection of an appropriate strategy for analyzing risk. Selection of an inappropriate Risk Analysis Strategy can lead to a superficial analysis of the issues or result in overly long and costly risk assessments. security management system Page 18 of 58 Figure 1.2 Development of ISO 27001 and ISO 27002 standards http://www.infosectoday.com/Articles/27001.htm (Accessed on 3/10/2012) Table 1.1 ISO 27000 Family ISO/IEC Standard Description Space (Pending) Vocabulary and definitions. 27001 Information Security Management System requirements (specification) 27002 Code of practice for information security; management 27003 (Pending) Implementation guidance 27004 (Pending) Metric and measurement 27005 (Pending) Risk management (http://www.infosectoday.com/Articles/27001.htm ( Accessed on 3/10/2012) security management system Page 19 of 58 Table 1.2 ISO 27002 Security Control Structure Control Definition of security control with statement regarding necessary qualities to fulfill the control requirement Implementation Includes information for implementing the control and guidance to fulfill guidance the requirements of the control Other information In some controls there is a clause "Other Information," where there are references to information related to the specific control (http://www.infosectoday.com/Articles/27001.htm( Accessed on 3/10/2012) (http://www.infosectoday.com/Articles/27001.htm accessed on 3/10/2011) security management system Page 20 of 58 GMITS defines a number of risk analysis strategies that business can use to analyze risk 7. Of these, the most suitable approach for an outsourcing situation is 6F the combined approach. This approach uses a High-Level assessment to determine whether a more Detailed Assessment is necessary or whether the risk can be analyzed using the existing baseline. The High-Level Risk Assessment should be performed by the business. The determination of what level of business risk is involved in a particular operation or Figure1. Different modeling techniques to address each threat risk are combined to augment the more conventional application penetration testing approach. (Accessed on 11/10/2012) http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.htm security management system Page 21 of 58 Figure1. Different modeling techniques to address each threat risk are combined to augment the more conventional application penetration testing approach. (Accessed on 11/10/2012) http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.htm security management system Page 22 of 58 (http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.ht) m concept is best left to the business where the impact of any miscalculation of risk will be felt. If a Detailed Risk Assessment is required, this should also be the responsibility of the business.Should the high level assessment determine that the level of risk is not too significant, the baseline approach is used. Responsibility for a baseline risk assessment is shared between the outsourcer and the business. The outsourcer effectively controls the IT baseline and the business must sign off and be responsible for the level of risk associated with the baseline. security management system Page 23 of 58 The selection of appropriate safeguards is also a shared responsibility. Safeguards to manage risks will most likely be a mixture of operational and technical controls 8. Whilst technical controls (for example firewalls and other pieces of 7F security technology), operational controls (such as security policies) will usually remain the responsibility of the business. Acceptance of risk and the development of any system specific policies should remain with the business. It is a general principle that whilst the assets themselves and even the business process surrounding the asset can be outsourced, the risk associated with the asset is retained with the business. The outsourcer should then produce a System Security Plan that details how the requirements of the System Security Policy are going to be met. Whilst the production of the actual plan itself will be the responsibility of the outsourcer, this item nonetheless remains a shared responsibility, as the business should approve the content of the System Security Plan as part of the general risk management process. 3. Maintenance Maintaining IT systems is a matter of balancing many competing priorities such as balancing service levels and controlling cost, the maintenance of IT Security components is no different. Maintenance of IT systems is almost always a shared responsibility. The outsourcer is makes recommendations to the business as to any changes required to maintain and improve service levels and the business evaluates and approves these proposals. 8 Standards Australia, HB 231 Section 4.5.3.1 security management system Page 24 of 58 The business is responsible for ensuring that the direction established by the IT Security Strategy and the countermeasures identified during risk management are maintained. For this reason, it is important that the business retain responsibility for Security Compliance Checking. This provides the business with a level of comfort that information security measures are being appropriately maintained. The responsibility for monitoring should rest with the outsourcer. Monitoring is the means by which the effectiveness of any security controls or processes can be managed. In an outsourced environment, the outsourcer is operating the IT assets and should be providing the business with constant feedback of the performance of all components under their control. Change management is a shared responsibility. Business should have a role in approving changes to IT systems in response to recommendations made by the outsourcer. The responsibility for Incident Management is also shared. Typically it will be the outsourcer in their role of custodian of the IT system(s) that is the first stage of any incident response process as often security incidents may manifest themselves as outages or unexplained behavior in IT systems 9. 8F Once an incident has been identified as having occurred, the business would normally become involved to determine the appropriate steps to resolve the incident. The interactions involved in appropriate incident management are quite complex and beyond the scope of this paper however, in general the business makes the policy and risk management decisions with the outsourcer providing advice and performing any technical changes. 9 Carnegie Mellon University (Accessed on 11/10/2012) security management system Page 25 of 58 2. Correlation to ISO 17799 1. Legal Requirements As the organization retains control of IT Security Strategy and overall policy, it is the responsibility of the organization to ensure that the policies are in compliance with any applicable legal and legislative requirements. Organizational ownership of compliance checking provides assurance that any obligations of corporate policies and procedures are being carried out by the outsourcer. 2. Awareness of Security Responsibilities Whilst this document does present a framework around which outsourcing services can be agreed, the actual division of work will be defined in the contract between the business and its outsourcer. By working within the framework suggested, both parties will be broadly aware of the distinct Information Security areas that need to be addressed. This will ensure that all parties (not just the outsourcer) are fully aware of their security responsibilities. http://www.ittoday.info/Articles/ISO_27001_Certification.htm security management system Page 26 of 58 3. Maintenance of Confidentiality, Integrity and Availability The maintenance of confidentiality, integrity and availability of organizational assets is perhaps one of the most significant challenges during an outsourcing engagement. Outsourcing requires that control of sensitive and business critical information is turned over to a third party who does not necessarily have the same vested interest in ensuring that the data is adequately protected. The framework suggested ensures that whilst the actual maintenance of security equipment resides with the outsourcer, the business retains control over policy decisions regarding those assets. This division of labor means that it is the business who has ultimate control over decisions regarding the confidentiality, integrity and availability of their assets. By retaining control over the audit function, the business is also able to ensure that the outsourcer is maintaining the standard required and specified by the business. security management system Page 27 of 58 Figure 1.1 Security Cornerstones (http://www.infosectoday.com/Articles/27001.htm) (Accessed on 11/10/2012) http://www.infosectoday.com/Articles/27001.htm) Figure 1.3 PDCA Model (http://www.infosectoday.com/Articles/27001.htm) (Accessed on 11/10/2012) Figure 1.3 PDCA Model (http://www.infosectoday.com/Articles/27001.htm) 4.Physical and Logical Controls over Access See Diagram Below. security management system Page 28 of 58 (http://www.infosectoday.com/images/networkSecurity.jpg) (Accessed on 11/10/2012) Where physical controls and logical controls are required to ensure that there is no unauthorized access to company resources, this should be identified as part of the Risk Management activities associated with the framework. security management system Page 29 of 58 The provisions in the framework show how the business and the outsourcer are jointly responsible for the controls required to manage the business’ risk. Whilst the responsibility for implementing the control rests with the outsourcer, policy decisions as to their suitability remain with the business. 4. Service Maintenance during Disaster The ISO 13335 framework is not particularly specific about the provision of disaster recovery facilities. However, disaster recovery (DR) and its driver, Business Continuity Planning 10 (BCP) are accommodated within ISO 17799 11. 9F 10F Both BCP and DR should be considered during the high-level risk analysis activity identified within the model and a decision made as to whether the system falls within the existing baseline (for instance additional on-line services could be incorporated into the existing DR and BCP baseline) or whether a detailed risk assessment is required. The System Security Policy should contain details of the BCP and DR requirements for the system. This provides the ultimate guide for ensuring that the requirements have been met. It is important to note that ISO 17799 considers that BCP and DR are part of the overall information security management system and thus it is not treated as a separate activity within its own right. security management system Page 30 of 58 (Accessed on 11/10/2012) (http://www.ittoday.info/Articles/Beyond_Disaster_Recovery.htm) 5. Physical Security Measures Required physical security measures would be identified and agreed during the Selection of Safeguards activity and then be the responsibility of the outsourcer to implement. security management system Page 31 of 58 (Figure 2. Service Desk Diagram) (http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm) (Accessed on 11/10/2012) 6. Right of Audit Auditing falls broadly into the part of the framework identified as maintenance. It is vitally important that the business ensure that appropriate auditing rights are factored into any outsourcing contract. The framework shows that the majority of maintenance activities are identified as being a shared responsibility however; security compliance checking is clearly the responsibility of the business. Whilst the framework identifies the responsibilities, it is noted that this does not identify the actual rights of audit, however by using the framework this should provide a useful starting point for discussions of audit content and frequency. 3. Risk Management and Managed Security Service Providers Managed Security Service Providers (MSSP) are a specific type of outsource service provider that offers some or all security services to a client. Some of the services that may be offered by a MSSP are: ● Firewall management; ● Intrusion detection; ● Vulnerability assessment and testing; ● Antivirus management; ● Authentication; ● Security intelligence; ● Virtual private network; and security management system Page 32 of 58 ● 12 Public key infrastructure 12. 11F Kavanagh, 2001 security management system Page 33 of 58 Figure 1. ITIL Overview (http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm) (Accessed on 1/10/2011) As the majority of these services directly impact information security, the tendency is to assume that the solution to an organization’s security issues is as simple as choosing an appropriate MSSP. The thinking is that as information security is complex and non-cost recoverable, this is a function that should be best left to an outsourcer and not left to consume valuable internal resources. In the author’s experience, there is a tendency of businesses to assume that in selecting a MSSP, the information security issues for the organization have been solved. In fact, this is usually far from the case. Too often it is forgotten that the MSSP is there essentially to operate infrastructure 13 and thus is not responsible for the businesses security strategy or 12F requirement. Indeed, organizational control of security strategy is an essential component of Security Outsourcing 14. 13F The framework shown in Figure 1 is equally applicable to outsourcing the information security function itself. The business must retain control over the decision making process as to what level of risk is acceptable and then be responsible for ensuring that the outsourcer is performing the appropriate actions to ensure that the risk is managed in an appropriate fashion. 4. Evaluating the Outsourcer Having made the decision to outsource some, or all, of the IT Infrastructure, it is important to ensure that an evaluation of the outsourcer’s information security security management system Page 34 of 58 practice is included as part of the due diligence process (it sounds straightforward but in the author’s experience this is often overlooked). This applies whether the target of the outsource is the security function itself or a general part of the IT infrastructure. When conducting due diligence on an outsourcer there are a number of key indicators that should be taken into account. These include: ● Does the outsourcer have a clear security policy? ● Is the outsourcer’s management clearly and visibly committed to information security? Table 2.3 Measuring IT Performance and Activities Question Analysis 1. Do you have any view of how IT Sixty-two percent state that they have a view on should be measured and accounted measurement; however, there is significant variation in for? how executives define measurement. There is significant variation in IT satisfaction. Only 2. Are you satisfied with IT 19% are very satisfied. Thirty-three percent are satisfied, performance in the firm? another 33% are less satisfied, and 14% are dissatisfied. 3. How do you budget IT costs? Is it Fifty-seven percent state that they do not use gross based on a percentage of gross revenues in their budgeting methodologies. revenues? security management system Page 35 of 58 4. To what extent do you perceive Seventy-one percent feel that technology is a significant technology as a means of increasing means of increasing both marketing and productivity in marketing or productivity, or both? their firms. 5. Are Internet/Web marketing Only 24% state that Internet/Web marketing efforts activities part of the IT function? report directly to the IT organization. (http://www.ittoday.info/Articles/IT_Dilemma.htm Accessed on 3/10/2011) Table 1. Perception and Role of IT. Question Analysis Fifty-seven percent responded that their IT organizations were reactive and did not really have a mission. Twenty- 1. How do you define the role and eight percent had an IT mission that was market-driven; the mission of IT in your firm? i.e., that their IT departments were responsible for actively participating in marketing and strategic processes. Twenty-eight percent feel the impact is insignificant, while 2. What impact has the Internet had 24% feel it is critical. The remaining 48% feel that the on your business strategy? impact of the Internet is significant to daily transactions. 3. Does the firm have its own internal software development Seventy-six percent have an internal development activity? Do you develop your own organization. Eighty-one percent have internally developed in-house software or use software software. packages? security management system Page 36 of 58 4. What is your opinion of outsourcing? Do you have the need Sixty-two percent have outsourced certain aspects of their to outsource technology? If so, how technology needs is this accomplished? 5. Do you use consultants to help formulate the role of IT? If yes, Sixty-two percent of the participants use consultants to what specific roles do they play? If assist them in formulating the role of IT. not, why? 6. Do you feel that IT will become Eighty-five percent feel that IT has recently important to more important to the strategic of the strategic planning become more planning of the the business? If yes, why? business. Twenty-nine percent feel that IT is still very marginalized. 7. How is the IT department viewed Another 29% feel it is not very integrated. Thirty-eight by other departments? Is IT percent feel IT is sufficiently integrated within the department liked or is it organization, but only one chief executive feels that IT is marginalized? very integrated with the culture of his firm. 8. Do you feel there is too much Fifty-three percent feel that there is no hype. However, "hype" about the importance and 32% feel that there are levels of hype attributed to the role role of technology? of technology; 10% feel it is "all hype." 9. Have the role and the uses of Fourteen percent feel little has changed, whereas 43% technology in the firm significantly stated that there were moderate changes. Thirty-eight changed over the last five years? If percent state significant change. so, what are the salient changes? security management system Page 37 of 58 (http://www.ittoday.info/Articles/IT_Dilemma.htm) (Accessed on 11/10/2012) ● Is there evidence that the supplier has assessed the security risks, understood the legal risks and is prepared to implement appropriate countermeasures? ● Does the outsourcer’s operational team have a good, demonstrated knowledge and understanding of information security issues? ● Does the outsourcer follow some well-recognized standard for Information Security Management, such as ISO 17799? ● Visible information and data security signals such as appropriate physical security at data centers, security vetting for personnel involved in the management of business resources, password access to IT systems? 15 14F Table 2.2 Management and Strategic Issues Question Analysis 1. What is the most senior title Sixty-six percent call the highest position "CIO" (Chief held by IT? Where does this Information Officer). Ten percent use "Managing Director," person rank on the organization while 24% use "Director" as the highest title. hierarchy? Fifty percent of IT leaders report directly to the chief 2. Does IT management executive, the other half reports to either the chief financial ultimately report to you? officer or the chief operating officer. security management system Page 38 of 58 Fifty-seven percent state that they are very active- on a weekly 3. How active are you in working basis. Thirty-eight percent are less active or inconsistently with IT issues? involved, usually stepping in when an issue becomes problematic. 4. Do you discuss IT strategy Eighty-one percent do not communicate with peers at all. Only with your peers from other 10% actively engage in peer-to-peer communication about IT firms? strategy. Eighty-six percent confirm that IT issues are regularly 5. Do IT issues get raised at discussed at board meetings. However, only 57% acknowledge board, marketing, or strategy IT discussion during marketing meetings, and only 38% meetings? confirm like discussions at strategic sessions. 6. How critical is IT to the day- Eighty-two percent of the chief executives feel it is very to-day business? significant or critical to the business. (http://www.ittoday.info/Articles/IT_Dilemma.htm) (Accessed on 11/10/2012) “One of the challenges in establishing the outsourcing arrangement will be merging the security requirements of the outsourcer with the security requirements of the business it is outsourcing. Although the outsourcer may have its own internal security policies these should be examined to ascertain if there are appropriate provisions for including a client security domain (or indeed multiple client domains) within their (the outsourcer’s) policy structure. This issue is illustrated in a diagram developed by the author shown as Figure 2 - Security Domains Within a Data Center.” security management system Page 39 of 58 http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on 17/10/2012 Figure 2 - Security Domains Within a Data Center Figure 2 shows how an outsourcer might choose to integrate a client’s security requirements into their existing data center. Ideally, the outsourcer would have a complete set of security policies and procedures that detail its own information security management requirements; this is depicted as the Outsourcer Security Domain. Everything within the outsourcer’s control should be governed by the set of security policies and procedures that govern this domain. Within the outsourcer’s security domain are likely to be a number of client security domains. This reflects the needs and requirements of specific customers within the outsourcing environment. Each client will have different requirements for managing the risk to their business and thus will have slightly different requirements for the way in which information security countermeasures are to be applied for their machines. The outsourcer’s security policies should be developed in such a way as to take this into account. One of the clear indicators as to how well the outsourcer understands the security risks and implications will be the conduct of security due diligence on the business. As previously stated, outsourcing is a partnership 16 and as such it 15F should be expected that the outsourcer will perform some due diligence activities to assess the various aspects of the business in order to formulate a suitable contract. security management system Page 40 of 58 As part of the development of the contract, the outsourcer should be taking steps to understand the security requirements of the business. The information security requirements of the business will have a significant impact on the way in which information security is maintained for those assets that are to be outsourced. A robust, thorough Information Security due diligence process by the outsourcer is a good indication that there is a good understanding of Information Security issues and the way in which these issues should be addressed. 12 Dangers of Endpoint Security 12 Dangers of Endpoint Security 1. AntiVirus alone is inadequate: a Symantec survey of U.S.-based small businesses finds nearly 60 percent of respondents have not implemented endpoint protection (software that protects end points such as laptops, desktops and servers against malware). 42 percent do not have an antispam solution, and one-third do not even have the most basic protection of all -- antivirus protection. http://www.infosectoday.com/Articles/Endpoint_Security.htm Accessed on 17/10/2012 2. Lack of IT expertise: the same Symantec survey finds 42 percent of SMBs do not have a dedicated IT staff--they either have no one managing their computers or they use staff that has other jobs. http://www.infosectoday.com/Articles/Endpoint_Security.htm Accessed on 17/10/2012 security management system Page 41 of 58 3. Explosion of malware: Symantec in 2008 created more than 1.6 million new malicious code signatures, a 165 percent increase over 2007. 4. Fame to fortune: the primary motivation of attackers has evolved from wanting to achieve public notoriety to financial gains, and they are employing attacks that are more stealthy and insidious. http://www.infosectoday.com/Articles/Endpoint_Security.htm Accessed on 17/10/2012 5. Unpatched endpoints: ignoring updates from software companies leaves businesses much more susceptible to infection and attack. http://www.infosectoday.com/Articles/Endpoint_Security.htm Accessed on 17/10/2012 6. Confidential information loss: could be due to well-meaning insiders, malicious insiders or external attackers. SMBs are less likely to have network server and storage space, so are therefore more likely to store sensitive information on endpoints that need to be protected. 7. Rogue security software: Also known as Scareware, these attacks pose as legitimate security software that actually facilitates the installation of the malicious code they purport to protect against. http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on 17/10/2012 8. Drive-by downloads: Malware that resides on web sites and infect systems of people who visit those sites. SMBs are increasingly adopting Internet and Web- security management system Page 42 of 58 based computing models to conduct tasks like web mail, file sharing and social media communication, and are therefore at high risk of having their endpoints infected via the web. http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on 17/10/2012 9. Netbooks: These inexpensive tools are becoming more popular for business purposes, and they need to be secured just like traditional desktops and laptops. Relying on limited security functionality built into operating systems will not provide adequate security. http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on 17/10/2012 10. Smartphones: the first attack targeting smartphones and other mobile devices appeared in 2005 as a Multimedia Messaging Service (MMS) worm. As more employees attach their smartphones to the company network, the risk to confidential information loss also increases. 11. Wireless networks: Businesses must ensure their WiFi networks, and the endpoints connecting to them, are secure. http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on 17/10/2012 12. Cloud computing: Web-hosted services can dramatically increase productivity and reduce IT costs, but these environments must be secured just like on-site data centers. http://www.infosectoday.com/Articles/Endpoint_Security.htm (Accessed on 18/10/2012) security management system Page 43 of 58 Diagram of ISMS Concept of applying management system conceptual model to Information Security ((http://www.infosectoday.com/Articles/ISMS/Information_Security_Managemen t_Systems.htm (Accessed on 1/10/2011) Model of Business Enabler part of ISMS Model security management system Page 44 of 58 (http://www.infosectoday.com/Articles/ISMS/Information_Security_Management _Systems.htm) (Accessed on 11/10/2012) (Who participates in ISMS) (http://www.infosectoday.com/Articles/ISMS/Information_Security_Management _Systems.htm) (Accessed on 11/10/2012) Back It Up Data drives small business, and the ability to keep it always available is critical for a business’ success. To that end, organizations must regularly back up their data, using a tiered approach that saves data to disk as well as to tape for short- and long-term purposes. For quick recovery, disk is often the preferred media. For long-term storage and data archiving, tape is an effective option. Both methods play a major role in the backup strategies for many organizations. http://www.ittoday.info/Articles/Expecting_Disaster.htm ( Accessed on 18/10/2012) “Today’s most advanced backup tools for small businesses provide continuous data protection for an organization’s most valuable information, whether that data is on a Windows file server, a desktop or laptop, or a Microsoft Exchange, SQL, SharePoint, or other application server. New cutting edge tools have revolutionized data protection by eliminating backup windows and security management system Page 45 of 58 enabling small businesses to recover data in seconds. For example, while traditional approaches for backing up Exchange required a full data base backup and “brick level” mailbox backups, these tools offer a full, incremental, or continuous backup of Exchange and enable restores to a granular level--including down to an individual email—from a single database backup pass.” http://www.ittoday.info/Articles/Expecting_Disaster.htm (Accessed on 18/10/2012) Recover It Fast After a disaster, businesses are often left with anxieties and pressures to recover data quickly. While prevention of data loss is a must, system recovery is equally important. Traditional recovery methods, however, are cumbersome, with manual system rebuilds from bare metal taking hours or even days. Small businesses must be able to recover from system loss or disasters in minutes. What’s more, they need to be able to recover servers, desktops, or laptops to dissimilar hardware and in remote, unattended locations. Consequently, many small businesses are also deploying system recovery tools that capture the operating system, applications, system settings, configurations, and files of a live system in a recovery point that can be saved to a wide variety of media or storage devices. An administrator can schedule how often data recovery points are created and can retain specific recovery points for different time periods in accordance with business needs. Virtualization can help small businesses better leverage their disaster recovery strategy. With server virtualization technology, multiple operating systems can be run on a single server, which security management system Page 46 of 58 enables organizations to consolidate servers and make better use of existing hardware resources. This is particularly beneficial for organizations such as small businesses that typically lack a spare system to which to restore data. As today’s data-driven global marketplace evolves, information volumes will continue to increase. At the same time, natural disasters, power outages, application failures, system crashes, and other potentially damaging events will likely remain a challenge for businesses of all sizes. Human error will never be eliminated. And downtime will likely become less rather than more acceptable. Disaster recovery planning, in turn, will become a greater priority for small businesses as well as large enterprises. By leveraging next-generation data and system protection tools and service offerings, small businesses can prepare for disasters, allowing them to minimize downtime, and ensure efficient and rapid recovery. http://www.ittoday.info/Articles/Expecting_Disaster.htm (Accessed on 18/10/2012) Top 5 Tips for Developing a Disaster Recovery Strategy 1. Document! Every element of your DR process is important. Make sure everything is documented and ensure it includes the locations of system and other critical disks and data. Key staff members—within IT and other areas of the organization—should be familiar with these documented storage locations. security management system Page 47 of 58 http://www.ittoday.info/Articles/Expecting_Disaster.htm Accessed on 18/10/2012 2. Automate Processes Establish an automated system to notify critical staff of a disaster by text, phone or email. Train your staff on the system to perform basic DR/back-up tasks unsupervised. Symantec recommends enterprises have a complete disk-based data protection solution across all environments, offices and hardware. http://www.ittoday.info/Articles/Expecting_Disaster.htm Accessed on 18/10/2012 3. Back It Up Backing up critical data seems like a no brainer. But if you neglect to do so, no matter how good your DR plan is it will be of no use. Don’t just back it up—test it! http://www.ittoday.info/Articles/Expecting_Disaster.htm (Accessed on 18/10/2012) 4. Protect from the Inside Internal theft is on the rise and usually undetected. Be sure to protect your company from random theft, vandalism and employee malice. Be aware of the data location, where it is sorted and where it is going. Place controls to automatically safeguard the data, according to corporate policy, like implementing a corporate policy that all traveling laptops are backed up. http://www.ittoday.info/Articles/Expecting_Disaster.htm (Accessed on 18/10/2012) security management system Page 48 of 58 5. Practice Makes Perfect--almost Practice your DR plan on a quarterly basis, better yet, more frequently. This will strengthen your organization’s skills, help you figure out more efficient logistics, work out kinks in your system and give you the confidence that your plan will work in testing http://www.ittoday.info/Articles/Expecting_Disaster.htm (Accessed on 18/10/2012) Ten Tips for Disaster Recovery Planning 1. Devise a disaster recovery plan: IT disaster recovery planning can be a daunting undertaking, with many scenarios to analyze and options to pursue. It is important to start with the basics and add to the plan over time. To begin, define what is important to keep the business running - i.e., email and application access, database back-up, computer equipment - and the "recovery time objective" or how quickly the company needs to be up and running post-disaster. Other key plan components to consider are determining who within the organization declares the disaster, how employees are informed that a disaster has occurred, and the method of communication with customers to reassure them that the company can still service their needs. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 2. Monitor implementation: Once a disaster recovery plan has been established, it is critical to monitor the plan to ensure its components are implemented effectively. A disaster recovery plan should be viewed as a living, breathing security management system Page 49 of 58 document that can and should be updated frequently, as needed. Additionally, proactive ongoing monitoring and remediation of processes, such as back-up data storage and data replication, results in fewer IT issues and less downtime should a crisis occur. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 3. Test disaster recovery plan: A 2007 eWeek survey of more than 500 senior IT professionals revealed that a whopping 89% of companies test their disaster recovery/failover systems only once per year or not at all, leaving their enterprises vulnerable to massive technology and business failures in the event of a disaster. An under-tested plan can often be more of a hindrance than having no plan at all. The ability of the disaster recovery plan to be effective in emergency situations can only be assessed if rigorous testing is carried out one or more times per year in realistic conditions by simulating circumstances that would be applicable in an actual emergency. The testing phase of the plan must contain important verification activities to enable the plan to stand up to most disruptive events. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 4. Perform off-site data back-up and storage: Any catastrophe that threatens to shutter a business is likely to make access to on-site data back-up impossible. The primary concerns for data back-up are security during and accessibility following a crisis. There is no benefit to creating a back-up file of valuable data if this information is not transferred via a secure method and stored in an offsite data storage center with foolproof protection. As part of establishing a back-up data security management system Page 50 of 58 solution, every company needs to determine its "recovery point objective" (RPO) - the time between the last available back-up and when a disruption could potentially occur. The RPO is based on tolerance for loss of data or reentering of data. Every company should back-up its data at least once daily, typically overnight, but should strongly consider more frequent back-up or "continuous data protection" if warranted. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 5. Perform data restoration tests: Using tape back-up for data storage has been integral to IT operations for many years, however this form of back-up has not been the most reliable. Today, disk to disk systems are gaining popularity. With either type of system, the back-up software and the hardware on which it resides needs to be checked daily to verify that back-up is completed successfully and that there are no pending problems with the hardware. With tape back-up, companies need to store the tapes in an off-site location that is secure and accessible, while disk systems need to have an off-site replication if the back-up is not run off-site initially. Moreover, companies need to perform monthly test restoration to validate that a restoration can be accomplished during a disaster. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 6. Invest in theft recovery and data delete solutions for laptops: IDC reports that more than 70% of the total workforce in the U.S. will be considered mobile workers by 2009. Accordingly, laptops are increasingly replacing the traditional desktop PCs. Unlike desktops, however, laptops are more easily misplaced or security management system Page 51 of 58 stolen, thus requiring organizations to secure data deletion and theft recovery options for their users' laptops. Theft recovery solutions can locate, recover and return lost or stolen computers, while data delete options can enable companies to delete data remotely from lost or stolen computers thereby preventing the release of sensitive information. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 7. Install regular virus pattern updates: IT infrastructure is one of those realities of business life that most companies take for granted. Companies often do not focus on email security until an incipient virus, spyware or malware wreaks havoc on employees' desktops. Organizations need to protect its data and systems by installing regular virus pattern updates as part of disaster recovery planning, which may even help prevent a crisis from happening. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 8. Consider hiring a managed services provider: For small- to medium-sized businesses, it is often cost prohibitive to implement a sound disaster recovery plan. Frequently these organizations lack the technical professionals to accomplish this. Managed services providers (MSPs) have emerged in recent years to perform this role. MSPs have the technical personnel to design, implement and manage complex disaster recovery projects. Additionally, MSPs have the server, storage and network infrastructure in place to manage a true disaster recovery plan. To keep costs manageable and make disaster recovery services, such as data storage and redundant servers, available to small- to security management system Page 52 of 58 medium-sized businesses, MSPs build shared, multi-tenant IT infrastructures that host multiple companies on the same hardware and network equipment which helps keep costs affordable and advantageous for its customers. http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012 security management system Page 53 of 58 Figure 6. Security Diagram Image (http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm) security management system Page 54 of 58 4. Conclusions Significant cost reductions to businesses through economies of scale offered by the outsourcer and can provide ready access to knowledge of current industry best practice. However, the decision of of the IT infrastructure also brings with it the added difficulties of adequately managing business risk and ensuring that control over that risk is appropriately allocated. There are a number of ISO Technical Reports, International Standards and private publications that have been collated which provide information on Risk Management although few of these explicitly recognize the reality that outsourcing is increasingly becoming the norm rather than the exception and that our information management systems have to recognize this reality. This is not to say that the information within the current body of knowledge is irrelevant though as the standard approaches to risk management can be easily adapted to suit an outsourced environment. ISO 17799 provides some high level principals for consideration in outsourcing contracts that, when applied to risk management, provide a good basis for ensuring that information security is maintained even in a complex outsourced environment. Central to this is ensuring that all parties are completely aware of who is responsible for what sections of the information management puzzle. By defining and allocating responsibilities for the various components of risk management puzzle in such a way as to ensure that the business retains control over the information security and risk management strategy (including monitoring compliance), the security of the business can be maintained. security management system Page 55 of 58 References 1. Australian Prudential Regulatory Authority, “Prudential Issues in Electronic Commerce.” APRA Insight. 1st Quarter 2001. URL: http://www.apra.gov.au/Insight/loader.cfm?url=/commonspot/security/getfile.cfm &PageID=2017 (March 2002); 2. International Organization for Standardization, “Code of Practice for Information Security Management.” ISO/IEC 17799:2000. (2000); 3. Office of the Federal Privacy Commissioner (Australia). “Privacy Obligations for Government Contracts.” Information Sheet 14-2001. December 2001. URL: http://www.privacy.gov.au/publications/IS14_01.pdf (March 2002); 4. International Organization for Standardization, “Techniques for the Management of IT Security.” ISO 13335-3:1998, Guidelines for the Management of IT Security Part 3 (1998); 5. Goolsby, Kathleen. “The Snowball Effect: Characteristics of Outstanding Outsourcing Relationships.” Outsourcing Center White Paper. February 2002. URL: http://www.outsourcingrequests.com/common/sponsors/4664/The_Snowball_Effect_Characteristics_of_ Outstanding_Outsourcing_Relationships.pdf (March 2002)* 6. International Organization for Standardization, “Managing and Planning IT Security.” ISO 13335-2:1997, Guidelines for the Management of IT Security Part 2 (1997); 7. Standards Australia. “Information Security Risk Management Guidelines.” HB 231:2000 (2000); security management system Page 56 of 58 8. Carnegie Mellon University. “Monitor and inspect Systems for unexpected behavior.” May 2001. URL: http://www.cert.org/securityimprovement/practices/p095.html (March 2002); 9. Noakes-Fry, Kirsten and Diamond, Trude. “Business Continuity and Disaster Recovery Planning and Management: Perspective.” Gartner Research Technology Overview. October 2001. URL: http://www.availability.com/resource/pdfs/DPRO-100862.pdf (March 2002); 10. Kavanagh, Kelly. “Managed Security Services”. Gartner Research Technology. August 2001. URL: http://www4.gartner.com/DisplayDocument?id=339855&acsFlg=accessBought (March 2002); 11. Berkman, Eric. “MSPs Say They’ll Do It All For You.” IT Outsourcing - CIO Magazine. November 2001. URL: http://www.cio.com/archive/110101/msp.html (March 2002); 12. Pankowska, Malgorzata. “Outsourcing Impact on Security Issues.” University of Poland. URL: http://figaro.ae.katowice.pl/~pank/secout2.htm (March 2002); 13. Peterson, Brad L. “Information Security in Outsourcing Contracts.” Outsourcing Journal. March 2002. URL: http://www.outsourcing14.journal.com/issues/mar2002/legal.html (March 2002). 15.(http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.ht)m (Accessed on 16/10/2012) with journals cited with date referenced. 16. (http://www.ittoday.info/Articles/IT_Dilemma.htm (Accessed on 16/10/2012) 17. http://www.ittoday.info/Articles/Expecting_Disaster.htm (Accessed on 16/10/2012) security management system Page 57 of 58 18. (http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm) (Accessed on 17/10/2012) 19. http://www.infosectoday.com/Articles/DRPlanning.htm (Accessed on 17/10/2012) i ii ISO 17799 section 4.3 ISO 13335-3 security management system Page 58 of 58