PART II
As with any management practice, information assurance starts with comprehensive planning. Part II examines the practical considerations made when planning and establishing an information assurance management program. Central to the management program is establishing an information assurance management system (IAMS), which was discussed in Chapter 2.
Recall that the IAMS combines the components of people, process, and technology. It is a risk-oriented management system stressing the importance of a continuous process-based approach in managing and improving information assurance.
One of the most widely adopted IAMSs is described in ISO/IEC 27001 and achieves continuous improvement in managing information assurance by incorporating the Plan-Do-Check-Act (PDCA) method.
This part begins with Chapter 8, which gives you guidance on the approaches to implementing the IAMS in the contexts of common management practices while recalling that there is also a need to balance information assurance and its cost. Chapter 9 extends the guidance by discussing the possible structures that may be adopted by an organization to implement the IAMS. The discussion includes pertinent issues including staffing, roles, and responsibilities.
Chapter 10 discusses asset management. Asset management is at the core of information assurance management. If an organization can’t manage its information assets and know the status of its IT assets in a given moment, the organization will be exposed to risk. Chapter 11 gets into the fundamental processes of risk management and how best to implement it across an organization. The risk management process starts with identification of information assets and their security requirements. This process exposes issues fundamental to performing information asset management. Recall that an information asset has a life cycle throughout which security must be provided. This concept resonates well with the process-based approach of an IAMS in the way that both are continuous processes and constantly needing improvement.
Following this, you’ll find an explanation of the information assurance risk management process. Issues such as threats, vulnerabilities, and impact will be analyzed and the identified risks addressed. It is important to realize that risk management should be incorporated as an integral part of an overall information assurance program. Since it is a process, being the risk management itself is continuous. The importance of a successful risk management will be obvious because it provides a sound basis for the objective implementation of controls that are the central themes discussed throughout this book.
Having established the organization’s risk profile, policies should be developed to govern the implementation of information assurance so that the identified risks are managed to achieve the stated mission and vision of the organization. Chapter 12 covers organizational information assurance policy. Policy is important in ensuring the organization’s leaders clarify their support for information assurance and also their expectations of adherence to sound information assurance principles. Undoubtedly, information assurance policy is the most important element for any successful information assurance management program. The policy is a formal reference point of conduct in the organization. A poorly developed policy is a source of failure in managing information assurance.
The final chapters in Part II reinforce the point that in planning for information assurance, the human resource and quality assurance are also important. It has been the experience of organizations that the weakest link in any security implementation is the one involving people. Chapter 13 focuses on the important decisions to be made before, during, and after employment. Chapter 14 further highlights the importance of quality in both the human resource and security products. This chapter emphasizes certification and accreditation as a means of assurance for security implementation.
Quick Answers
Q: What are the considerations to be made for those who are about to start planning for information assurance?
A: Organizations should first plan how the information assurance management program is to be structured, organized, and then followed by defining the information assurance policies.
Q: Should information assurance management be retained in-house or outsourced to third parties?
A: It is a choice for the organization whether to opt for in-house or external management; however, it is not the classic make-vs-buy analysis. The decision to outsource information assurance functions depends on the following:
• The risk tolerance of the organization.
• The cost versus the benefit. The organization needs to conduct a cost-benefit analysis to assess the benefits to be gained from outsourcing against the cost savings from having it done in-house.
• The strategic planning of the organization.
• The capability of the organization’s internal audit in dealing with the outsourcing relationship.
• The availability of internal security expertise.
Q: Which functions of information assurance can be outsourced?
A: Information assurance functions that can be effectively outsourced include security administration and monitoring. Companies should withhold any activities that require privileged access.
Q: Considering the breadth of asset classification, are there sufficient resources to implement and support the process?
A: Determining asset classification for the organization is a lengthy process. Therefore, the organization should consider staggering the exercise over one or two years based on the number of assets and size of the organization. It should be noted that the longer it is left, the riskier the situation. Alternatively, hiring external consultants to speed up the process, which typically includes asset discovery and tagging, is also an appropriate consideration.
Q: What is the least bureaucratic way of operating the risk management process?
A: The organization should focus on the more important risks. Embedding risk management into existing processes such as business planning can also help.
Q: Who will own the risk management process and safeguard it?
A: The process requires the support of top management, such as the CEO and senior management team—all of whom should actively contribute and participate throughout the process. In some cases, a risk manager will be appointed. This is not a necessity, since the process could be owned by a business planning manager. Internal auditors should be asked to review the process annually, report on its effectiveness, and provide recommendations for improvement.
Q: It is good that a risk assessment exercise identifies real threats and vulnerabilities. Yet how can the organization possibly deal with them with limited resources?
A: The fewer resources the organization has, the more vital the risk assessment process becomes. For example, if funds are scarce, perform a risk assessment to prioritize needs before allocating limited resources. By doing so, risk assessment provides the information needed to address the most pressing needs and increase the effectiveness of resource utilization.
Q: What is the difference between certification and accreditation?
A: The concepts are related. Accreditation is a formal acceptance of risks by management that results from the operation of an information system. Certification assures that a system meets defined requirements and is aligned to specified security controls. The certification is the exercise to support the accreditation decision process. Although the pairing of these two names is tied to specific processes in some economies, the actions, by whatever name, are important for a sound information assurance posture.
Q: Is it possible for an organization to apply information assurance principles without hiring a security officer?
A: Ideally, every organization should have a security officer, but if the organization is small, it may not have the necessary resources for a full-time position. It is important, though, that all employees in the organization play their respective roles in ensuring security policies and procedures are used.
Q: I do not know much about policy-related issues. Should I hire consultants to do the work for me?
A: It is always a good idea to obtain expert opinions. Consultants can give advice of the layout structure and content. Yet, allowing them to do the whole job will not produce the desired outcome. Information assurance is the responsibility of all employees, and they know their organization best. It would be incumbent for employees to shoulder their responsibilities in creating policies. In the final analysis, it is your job.
Q: I am new to the field of information assurance and have to set up an information assurance culture in my organization. Right now, we have good policies. When should I review my organization’s information assurance policies?
A: Develop policies based on the organization’s information assurance requirements in fulfilling its mission and vision. Any major changes to information assurance requirements, mission, or vision of the organization require a review of policies. The rule of thumb is that reviews should occur twice as frequently as the mistake one is willing to make. Experts agree that policies should be reviewed at least once a year. Policy reviews are effective when they are part of a certification process or an organization’s change management process.