Amateurs talk about tactics, but professionals study logistics.
—General Robert H. Barrow,
USMC (Commandant of the Marine Corps) noted in 1980
How do you win in a game where the landscape is constantly changing and your opponents look for new ways to trip you up? Like Fort Pulaski, the defenses of yesterday become useless against today’s threats. What good is planning if everything you’re using can be made obsolete overnight?
Let’s step back and talk about the concept of tactics versus strategy . Some people use the terms interchangeably, but there is a distinct difference. Strategy refers to long-term plans towards a set of goals. Tactics are the short-term things you do to achieve those goals. Since it’s in the quote by General Barrow, I’ll define logistics as well. Logistics is how we coordinate resources to support the tactics in accordance with the strategy Say your mission is to capture a castle. Your strategy is this: we plan to invade the castle indirectly using subterfuge. However, your tactics are this: we are going to pretend to lay siege to the castle but we’ll also send a disguised messenger in with a fake letter from the enemy king giving the garrison permission to surrender. The logistics would involve forging the letter and disguising the messenger. By the way, this really happened in 1271 to a Crusaders castle.1 It’s another great story to add to your war chest of security anecdotes.
Therefore, in IT security , our tactics are how we deal with risks: implementing controls like firewalls, antivirus software, password schemes, and encryption. Tactics will change as the risks and technologies change. Your strategy is how you analyze and assess risks, set scopes, and define goals. Strategy defines how your organization decides which risks should be eliminated and which you should just live with. Logistics flows from that strategy to supply resources to perform the tactical work. IT security governance concerns defining your strategy and logistics. Strategy and logistics shouldn’t need to change as much as tactics. Tactics will always be changing, as the threats and landscape changes.
For IT security, management is at least as important as technology. Technology is powerful but must be properly selected and used in order to be instrumental in stopping attackers. Governance is about ensuring that adequate and proportional security measures are acquired and managed by the organization. Governance defines who does what and when, so that security is properly addressed. Most importantly, governance creates and promotes the security goals, as there is no universal thing as secure. What is acceptable as secure has to be defined based on an organization’s threshold of acceptable risk. Lastly, governance is means that the organization authorizes and commits to the IT security program from the highest levels of management.
Some organizations will outsource their tactical tasks, but strategy is your own. You can bring consultants and advisors to help you build a strategy, but just as the risk is yours, so should be the plan in dealing with it. Luckily, there are great road maps on how to organically grow a governance process that fits your organization’s needs.
Governance Frameworks
There are many ways to do IT security governance. Some may fit your organization more naturally than others may. Here are some of the major governance frameworks :
National Institute of Standards Cybersecurity Framework http://www.nist.gov/cyberframework/
Control Objectives for Information and Related Technology (COBIT) http://www.isaca.org/COBIT/pages/default.aspx
Health Information Trust Alliance (HITRUST) https://hitrustalliance.net/hitrust-csf/
ITIL ISO 27001 http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
Choose your governance system with care. Once a system like this is in place, they are hard to replace. This is especially true if you’re in the middle of an audit period. Over time, systems can grow and force you to do things the way the system wants, not necessarily the way you want.
The ISMS
We talked about the focus of different audits in earlier chapters, like how the SSAE 16 SOC 1 is focused on financial records and the PCI DSS is focused on payment cards. ISO 27001’s focus is on IT security governance, which they call the Information Security Management System or ISMS. Since ISO 27001 has a pretty good model for security governance, this chapter will follow its path in building a governance system.
The ISMS Governance Strategy
Briefly, governance is the work of a cross-functional team that manages the IT security program for an organization in a continuous process of analysis and actions. Governance according to the ISMS approach uses the Deming Cycleof continuous improvement, also known as Plan-Do-Check-Act (PDCA ). The following is the action plan for getting an ISMS off the ground:
Establish the ISMS.
Set up an ISMS security steering committee.
Draft a charter defining the steering committee’s roles and responsibilities.
Obtain executive management’s approval of the charter and the security steering committee.
Plan. The steering committee commissions an analysis of assets and compliance requirements. It publishes security goals and scope based on these.
Do. The steering committee and related stakeholders commissions an analysis of risk and controls. It reviews these in light of the security goals, decides upon risk treatment options, and assigns work to be done based on them.
Check. The steering committee commissions an analysis of control effectiveness and appropriateness within the organization against the previously published goals and scope.
Act. The steering committee adjusts the risk treatment plans accordingly to ensure that goals are being met. The steering committee then returns to step 2 and begins the Plan phase again to continue refinement and improvement of the security program.
Let’s break each of these down now.
Establish the ISMS
The ISMS is a key part of your strategy for the management of risk in your organization. Before you get started on the Plan-Do-Check-Act part of the ISMS, you need to set it up. This involves forming the steering committee, assigning key roles, drafting your charter, and getting organizational buy-off on the endeavor.
The ISMS Steering Committee
When doing IT security, you never want to go it alone. Security is hard, but things get much easier with a whole team pulling together. A strong team is a multi-disciplinary team. Having team members with different skills and different perspectives of how the organization runs will make identifying risks and treating them much easier.
IT Security
Who should be on the ISMS steering committee? You need some obvious members, like the chief security officer (CSO). The CSO will lead the committee and be responsible for setting the agenda and running the meetings. Please note that the CSO is a role that I am using for convenience not necessarily a title. The CSO’s job title could be security manager, information security officer, IT security lead, or even network security potentate. The title isn’t as important as the role, which belongs to the most senior individual in the organization responsible for managing the IT security program.
Other Security Departments
You should also include any other security departments, such as the leads representing the other domains of security outside of IT. For example, you should include someone from either physical security or facilities. If there is a head of business continuity or disaster response, they should be included as well. In smaller offices, business continuity and physical security duties usually fall onto the office manager, who would be an excellent addition to the ISMS committee. Some organizations have a separate department (and requirement) for data privacy, so they should be involved as well.
Leadership
An absolute requirement would be representation from the executive leadership of the organization. Ideally, the higher ranking the better. If you can get someone who represents the organization’s board or the CEO, that would be best. Sometimes you can’t get so lucky, so the CIO or VP of IT may be the best you can get. Whoever this is, their role is to put executive authority behind the committee decisions and to supply the necessary resources (budget and people’s time) to getting things done. Without explicit and concrete executive support, an ISMS will stall before even getting off the ground. Until that happens, all of your efforts will be an academic exercise with little or no real impact to the organization. At the very least, the committee’s work should roll up to the CEO for formal acceptance of risk. The CEO’s job is to ensure the safety of the organization, even if he or she can’t or don’t have time to participate in the day-to-day work committee.
Audit
As part of the Plan-Do-Check-Act , you should have a representative from the Check phase of the cycle. This means an internal auditor on the committee, or at least an occasional report to the committee from the external auditors. They provide an independent assessment of the progress towards the ISMS goals. As members of the committee, not only could they provide direct feedback on control shortcomings, but they can also provide insight into the design of security program metrics to measure and track effectiveness. Note that if you are doing an ISO 27001 audit, you are required to have an internal audit role within your organization. Chapter 22 is entirely focused on internal audit.
Specialized Departmental Roles
Other appropriate organizational experts should be part of the ISMS committee. You’d want to have someone from the legal team to weigh in on proposed policies as well as to navigate the complex shoals of liability that can arise from IT risk. The legal team can also act as an authority on compliance regulations and contractual issues involving IT. Since IT risk translates to financial risk (as well as financial expenditures), a representative from finance is a strong addition. With so many security policies involving how staff perform their job, a member from the human resources department is another key role. HR becomes especially important when security policy violations involve employee disciplinary measures, as well as IT security initiatives that touch employee privacy.
IT
Since we are talking about IT security, you will want at least one person from the IT department on the committee. Some organizations are large or tech-oriented enough that there may be several different groups of IT personnel . So maybe you’d want one person each from software development, IT operations, the help desk, and projects. Or perhaps you don’t want to load up your committee with techies, so you could have one person who could represent all of those teams, such as the IT director. It all depends on your organization and its culture.
Major Departmental Heads
The ISMS committee should have representative from a cross-section of business within the organization. These are the department heads who represent the important business processes and user communities that are affected and protected by the ISMS. In larger organizations, these department heads are likely already meeting for other reasons. In that case, you could use that forum as an opportunity to get their feedback and opinion on risk matters. These department heads act as system owners, weighing in on decisions and analyses tied to the daily business of the organization. Without them on the committee, you risk doing things in a vacuum and failing to engage user’s support. As my old boss used to say, without input from the business, your security program will be like throwing sod down on cement and expecting it to grow.
ISMS Committee Guests
In addition to the standing membership, the ISMS committee could benefit from occasional guest members or speakers. These members can come both inside and outside the organization.
Inside the organization, you can include other department heads not formally in the ISMS committee. Perhaps these departments don’t even have a strong IT presence within the organization, but could still provide some new insights or warnings. This could include marketing, sales, customer service, manufacturing, academics, research, transportation, or even the cafeteria. You could also look at asking one of your standing department heads to bring in a representative from one of their underlying sub-departments. For example, facilities could bring someone from janitorial to talk about what goes on after dark. The IT help desk could bring in a support phone tech to talk about how they do password resets over the phone. The idea is to keep the ISMS fresh with new ideas and leave no stone unturned when it comes to possible internal risk.
External expertise is also valuable to the ISMS committee. If an ISMS is just starting out and all the participants are new the process, then having a security consultant on the committee would be extremely beneficial. If there is outside counsel with expertise in areas of the law beyond your in-house knowledge, this person would be a good drop-in member. Subject matter experts could guest lecture on occasional topics as well. This could include key vendors, technical consultants, regulators, and even cyber-cops. I have seen several federal cyber-police agencies willing to go onsite to organizations and provide advice on the protection of critical infrastructure. Do you remember the security organizations that I discussed back in Chapter 1? They are a good source for these kinds of speakers.
Also remember that the ISMS committee is as organic as your security program itself. The membership will ebb and flow, as your organizational and security needs change. It is not a fixed committee but one you can add and change members on over time.
Duties of the ISMS Committee
The duties of the ISMS committee are to work together to do the following:
Provide the authority and leadership for IT security for the organization. To lead and to lead by example with respect to security.
Incorporate IT risk into overall organizational risk plan that may include other forms of risk beyond IT.
Decide on what is acceptable and unacceptable risk for the organization based on regulations, compliance requirements, contractual agreements, and organizational needs.
Ensure for planning and budgeting to provide sufficient resources to control unacceptable risk in the organization.
Ensure that there are adequate policies and procedures created, maintained, and enforced to control unacceptable risk in the organization.
Provide reports to senior leadership on the health of the ISMS, including audit status.
Agree on new and proposed changes to high-level security policy for the organization.
Approve security policy exceptions and perform formal risk acceptance when needed.
Sponsor and oversee security control projects and ensure that adequate resources are available to complete them.
Review security incidents and security policy violations.
Take an active role in major security breaches and breach notifications.
Review security and audit scope changes including assessing new and changing third-party relationships.
Assist in the recruiting, hiring, and the succession of the CSO.
To stay abreast of major security, compliance, business, and asset changes within the organization to facilitate optimal decision-making.
Key Roles
Now that you have the membership of the ISMS committee established, what are everyone’s roles?
CSO
As we discussed earlier, the CSO is the top security person leading the ISMS committee. This means setting and running the agenda for the meeting, as well as keeping the discussions on topic. As the most knowledgeable expert in IT security in the group, she should also act as teacher and explainer for the rest. The CSO should make sure that the committee reviews critical policy and control project proposals at the appropriate time. Since the CSO is running the ISMS as part of her day-to-day job, she is likely the main point of contact for all ISMS committee business and communication. The CSO also directs the various assessments, including the risk, asset, and compliance analyses. The CSO has the functional responsibility for security, she is charge of directing the IT and security administrators to implement and maintain the controls. The role of CSO is so important that this role should be part of the CSO’s job description. The CSO’s authority is derived from a formal delegation of authority from the head of the organization. This can be direct or indirect via a chain of command, but the ultimately the CSO has been officially tasked with security by the leader of the organization. This authority can be documented in a memo, in the ISMS charter (endorsed by leadership), in their job description, or all of the above.
Asset Owner
The asset owner is the one responsible for the security of their assets. They empower and delegate the task to the CSO to find and reduce risks to their assets and associated business processes. The asset owner provides support and resources for the CSO to do her job. The asset owners are also the ones who help determine the information classification of the data within their systems. If they appear to be making ill-informed or irresponsible choices, the CSO (and perhaps the legal department) needs to educate them on the possible consequences of their decisions.
The ultimate asset owner on the ISMS committee is the leadership role or C-level executive. That role is the asset owner of the entire organization and would have final say on support and resources allocations for the CSO, which is probably no different from their role outside of the ISMS committee. By default, this person is also ultimately responsible for ensuring that risk is kept to minimum acceptable levels and nothing goes horribly wrong. Again, this is probably not different from their role outside the committee. Be aware that there will be struggles with asset owners and security requirements. Asset owners may occasionally resist security control work and operations due to their own priorities. For example, they may not want their systems down for an urgent zero-day patch if they are facing their own deadlines. The ISMS committee forum is one place that these requirements can be resolved. For ideas on how to manage these obstacles, see Chapters 8, 9, and 10.
Asset Custodian
The Custodians are the people who manage and take care of the assets for the owners. Generally, this means the IT operational personnel. Their role is to implement, operate, and maintain the various defined controls that manage risk to the assets. They are responsible for maintaining the control operational records, which auditors may need to review. They must also report any deficiencies or deviations to defined risks, assets, and controls to the CSO so they can be dealt with. Custodians also work ensuring information is maintained according to data classification policies set down by the ISMS committee. Upcoming chapters go into the specifics of how controls can be implemented and maintained.
Asset User
Asset users can refer to anyone in the organization, whether or not they are a member of the ISMS committee. The asset users are anyone who uses the IT assets defined in the scope of the ISMS. They are responsible for exercising due care to protect the assets by following the ISMS defined policies and operational procedures. Upcoming chapters define how asset users are educated on and managed with ISMS rules of conduct.
Auditor
The auditor role is the tester of the ISMS. Their job is to monitor the ISMS and report on deviations and shortcomings of the process. Because they are in a watchdog role, they must be independent and not in the chain of command of any of the ISMS custodians or the CSO. This role is not the same as penetration testers or vulnerability assessors, which are usually hired by the CSO to test for vulnerabilities from outside the organization. Auditors are given full authority to see everything going on within the organization at any time. The trade-off is that auditors are not allowed to implement or maintain controls. They are testers only. This function is described in more detail in Chapters 21 and 22.
Roles and Responsibilities Diagram
The RACI diagram is a helpful tool for managing roles and responsibility. It is a responsibility assignment matrix named after the four commonly assigned duties: Responsible, Accountable, Consulted, and Informed. They are described as follows:
Responsible: The person(s) assigned to work on this task
Accountable: The person(s) in trouble if the task isn’t done correctly
Consulted: The person(s) contributing information to this task
Informed: The person(s) who need to be updated about the task
Figure 7-1 shows a RACI diagram for the ISMS for the Plan-Do-Check-Act process.
Figure 7-1. RACI diagram for the ISMS for the Plan-Do-Check-Act process
ISMS Charter
Now that you’ve hammered out an ISMS committee, you need a document defining your ISMS. The ISMS charter formalizes the ISMS and lays out the scope, roles, goals, frameworks, and operational details of the steering committee. It can even specify the risk assessment methods and acceptance criteria.
Sample ISMS Charter
Information Security Management System Charter for Puget Regional Bank
The purpose of theInformation Security Management System (ISMS)is to:
To ensure confidentiality, integrity and availability of sensitive information of Puget Regional Bank, its customers, and business partners
To ensure management and employee accountability for information resources including assets and information entrusted to them
To ensure compliance with legal and regulatory requirements
To eliminate or minimize risk to Puget Regional Bank’s IT resources
To reinforce Puget Regional Bank’s core ethical values
Sponsorship: The Chief Technology Officer (CTO)
Scope: Puget Regional Banks’s scoped assets
The ISMS Committee: An ISMS committee will be formed to define and lead the ISMS. The ISMS committee will be responsible for:
Setting goals for security projects and program
Defining organizational policy regarding IT security based on those goals
Communicate with leadership and the organization regarding the security goals
Strive to achieve those goals by defining control objectives for risk treatment
Measure the effectiveness and performance of the controls and control objectives
The committee will annually review membership and recommend changes after considering the needs for continuity and expertise as well as the need to encourage change and opportunities to participate. The Office of the CTO will provide administrative support.
The current ISMS membership includes:
IT Security Officer (ISO) - Chair
Director of IT Services - Co-chair, CTO proxy
Puget Regional Bank Lead counsel
Lead Internal Auditor
Director of Continuity of Operations
Director of Bank security
Director of Customer Services
Director of Remote Customer Services
Director of Credit Services
Director of Mortgage
Director of Collections
Director of HumanResources
Meetings: The 3rd Tuesday of the first month of the annual quarter. The committee can have emergency meetings if any member calls one
Decision-making: Decisions by consensus of the ISMS committee with disputes taken to the CTO for resolution
Attendance: Regular attendance by ISMS Committee members is mandatory. ISMS Committee members can designate proxies to attend in their stead if unavailable.
ISMS Committee members can invite additional attendees as appropriate
Communication: In addition to this charter, membership list, schedules, and other docs will be posted on the ISMS Intranet web site. During the next meeting, the meeting minutes from the previous meeting will be approved and posted on the ISMS Intranet.
ISMS Strategy: To achieve its stated purpose:
The Puget Regional Bank ISMS program will employ a risk-based approach to analyze, and compare threats to and vulnerabilities in, information resources with respect to their criticality and value to Puget Regional Bank.
The ISMS program will also determine compliance with country, community, federal, state, and other regulatory information resource requirements. The results of the risk assessment will be used to determine appropriate, cost-effective safeguards and countermeasures.
All assessment findings and recommendations, as well as the safeguards, procedures and controls implemented, will be documented and reported to the Puget Regional Bank Chief Technology Officer.
The Internal Audit department will maintain an ongoing assessment program to test and evaluate the effectiveness of preventative, detective, and corrective information security controls to ensure their continued effectiveness against evolving risks and threats.
The Puget Regional Bank ISMS will be managed by security policies.
The IT Security Department will work with various departments as necessary to develop and maintain comprehensive security standards and procedures designed to implement this security strategy and security policies.
The ISMS Committee will accept requests from any business unit, group, or department to add or make modifications to security policies or controls.
The ISMS Committee will address requests at their discretion based upon an analysis of the request.
Puget Regional Bank’s IT Security Policy will be available to all Puget Regional Bank personnel via an Intranet-based application, or other appropriate medium.
Puget Regional Bank personnel will be informed when policies or control standards are created or changed.
A communication plan will be developed for security policies, standards, and procedures.
Obtain Executive Sponsorship
The final piece of establishing the ISMS is to get executive management approval of the charter and the security steering committee. As you can see in the sample ISMS charter, the executive sponsor for Puget Regional Bank is the chief technology officer, which in this example is a bank senior vice president. You will want your sponsor to be as highly placed as possible in the organization. You will find it also helpful if that sponsor appreciates the gravity of an IT security program and can provide guidance to its operation.
Plan: Implement and Operate a Security Program
Now that the ISMS is established and the committee is up and running, the committee can get to work. The first step is to plan how you are going to deal with the risks.
Now the committee needs to make sure that it has an accurate and timely analysis of assets and compliance requirements. If the committee doesn’t have them, then the ISMS committee needs to kick off a project to have them done. It’s likely that your organization has already done something along the lines of asset analysis, as most normal IT departments have some kind of inventory. The ISMS committee can brainstorm an initial compliance analysis be in a short session or two. What you don’t want to do is sit around for months waiting for analyses to be completed before taking action. A little work yields decent and usable results right away. The committee can spin-off projects to get better data later. The plan will never be perfect anyway, so why wait?
Decide upon and Publish the Goals
The committee can now take the ISMS charter’s goals and make them a little more specific, which will form the basis of your security policy and organizational communication. This also illuminates the scope, as you are getting specific about requirements.
Based on the Puget Regional Bank ISMS charter example, this could be a published goal:
Puget Regional Bank will strive to adhere to the Sarbanes-Oxley and Gramm-Leach-Bliley Acts by protecting the confidentiality, integrity, and availability of its financial systems and customer data. Security, privacy, accuracy, and uptime are the goals of Puget Regional Bank and its IT systems.
The use of saying will strive indicates that you will put serious effort into achieving these goals, but you are not necessarily guaranteeing that you will succeed perfectly for all time. You should always assume breach, but still try your best to avoid it. This is different from when you write internal policy statements , which use clear directives regarding mandatory duties such as “should, will, must, shall.”
Please note that this goal includes two different overlapping compliance requirements, which is common in complex environments. We could have just as easily added PCI DSS to that list as well, since there are probably payment card numbers involved in some financial transactions.
This goal can be the preamble when you publish your security policy and do your security awareness campaign. It’s important to communicate this goal to everyone. You are going to ask every user and IT to do some kind of work on security. Explain to them why this matters.
Define Control Objectives
With goals, you can begin to draft control objectives , which are the specifics with respect to assets and requirements. The organization builds controls to achieve those control objectives. Consider the following Puget Regional Bank sample assets in Table 7-1.
Table 7-1. Assets and Control Objective Requirements
Assets | Requirement |
|---|---|
Databases with customer data records | Confidentiality, integrity, availability |
Customer-facing web site | Integrity, availability |
The following are some potential control objectives based on these two assets and requirement combinations:
Controls provide reasonable assurance that physical and logical access to Puget Regional Bank databases and data records are restricted to authorized persons.
Controls provide a reasonable assurance that all changes to the Puget Regional customer web site are approved and performed by authorized personnel.
Controls provide reasonable assurance that Puget Regional Bank critical systems and infrastructure are available and fully functional as scheduled.
For an SSAE 16 SOC 1, these kinds of control objectives are a critical part of the audit. The SOC 1 is both the most flexible and most challenging in this aspect. You have the privilege and the burden of writing your own control objectives. For other audits, the compliance framework dictates a specific control objective. This is the first objective for SSAE 16 SOC 2 and SOC 3 under security:
Security commitments and requirements are addressed during the system development lifecycle including design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.
Under the PCI DSS, this is the first of 12 control objectives (called a requirement in the standard): “Install and maintain a firewall configuration to protect cardholder data.”
Underneath that control objective (or requirement), the PCI DSS specifies a dozen or so specific controls that need to be in place to support it.
In ISO 27001:2013, there are 14 control groups that are analogous to control objectives. With the ISO 27001, you need to create a document called a Statement of Applicability based on these control groups. We’ll get into that soon.
Assignment of Role and Responsibility
One thing to keep in mind when working on control objectives is to think about how you are going to achieve them. This means formally assigning the control objectives to someone to work on and then requiring a continuous monitoring process. It’s common for the ISMS committee to assign the majority of IT Security control objectives to the CSO. This is a big reason why you have the formal CSO role . Left to themselves, most people neglect risks that aren’t directly their problem. They’re probably already busy doing something else. Formal assignment of roles helps minimize that.
Do: Risk Treatment
Now that you have a defined goal and scope, you can map your risks and controls to them. Like before, if you haven’t done a risk assessment or a controls analysis, you absolutely need to do them now. Again, if you don’t have time, then brainstorm a qualitative assessment for now, while commissioning a more detailed one that you can use in the near future. You’ll be repeating this planning step at least once a year, so you can expect things to change anyway. Now you can pull all of these things together and build a risk table as shown in Table 7-2.
Table 7-2. Sample Risks and Controls Table
Asset | Require | Risk | Controls |
|---|---|---|---|
Databases with customer data records | Confidentiality, integrity, availability | Malware infection | Antivirus software, firewalls, limited access |
Application attack | None | ||
Insider theft or sabotage | Limited access, background checks | ||
Physical theft or damage | Locked server room door, fire suppression | ||
Accidental data leak | Limited access | ||
Corporate web site | Integrity, availability | Defacement | Firewall |
Integrity, availability | Denial-of-service attack | Firewall, redundant ISP |
Given this, the ISMS committee can determine if these controls are sufficient to lower these risks to an acceptable level. This calculation can be done out-of-band by the Security Officer and then presented to the ISMS committee for review and approval. Only the most tech- and security-savvy ISMS committee is going to sit through the process of analyzing controls and risks for each scoped asset. However, the committee does have to buy-off on the analysis, since they recommend and sponsor control projects to close those gaps. Table 7-3 demonstrates how this can look.
Table 7-3. Risk and Control Analysis of Effectiveness
Asset | Require | Risk | Controls | Effectiveness |
|---|---|---|---|---|
Databases with customer data records | Confidentiality, integrity, availability | Malware infection | Antivirus software, firewalls, limited access | Acceptable |
Application attack | None | Deficient (no controls applied) | ||
Insider theft or sabotage | Limited access, background checks | Insufficient risk coverage | ||
Physical theft or damage | Locked server room door, fire-suppression | Insufficient risk coverage | ||
Accidental data leak | Limited access | Insufficient risk coverage | ||
Corporate web site | Integrity, availability | Defacement | Firewall | Insufficient risk coverage |
Corporate web site | Integrity, availability | Denial-of-service attack | Firewall, redundant ISP | Acceptable |
As you can see, the ISMS committee has found that a number of risks are not being sufficiently addressed. The next big question to address is what to do about them?
Risk Treatment
After you’ve looked at your risks and current controls, the ISMS committee will likely discover controls that are managing risks insufficiently. They basically have four choices at this point:
Ignore the risk, pretend that you never saw it, and hope that it will go away
Accept the risk and hope that it never happens
Eliminate the risky activity
Reduce the risk through controls
Since ignoring the risk is a great way to end up in an extremely embarrassing and expensive litigious situation, most ISMS committees don’t go there. Negligence is when you fail to do what is reasonable to prevent something bad from happening to others. Organizations are sued and fined for negligence.2 Ignoring risks is negligent. I’m pointing this out because some organizations can ignore risks and get in trouble. This usually happens by accident because they are so disorganized or their security programs are so ineffective. You won’t be like that, though.
That leaves choosing between accepting the risk, eliminating the risk, and risk reduction. Nevertheless, before we get into these choices in detail, you need to be aware that people can be irrational when dealing with risk. An apocryphal study found that people spend more for flight insurance coverage for “death by terrorism” than they would for a more inclusive policy that covers death for any reason. People can get stunned by scary headlines about large breaches and make judgments on small sets of data, especially large impacts are concerned. There is a tendency for people to overly focus on the magnitude of an impact and ignore the probability. Some unscrupulous vendors even use this technique in their sales and marketing material. In the security industry, this is called Fear Uncertainty and Doubt (FUD) marketing. It’s not a rational or efficient way to make risk decisions. Remember that if you spend your money dealing with a few unlikely but high impact risks, you may not have enough to deal with the numerous common threats . This can lead to a death by a thousand cuts.
Risk Acceptance
An ISMS committee may want to accept certain kinds of risk. Risk acceptance is the deliberate and carefully considered formal act of declaring that an organization will deal with the consequences of a risk impact. This is not ignorance, where you pretend the problem doesn’t exist. This is a conscious choice, documented in writing, that the risk is acceptable. This is usually done for risks that where the impact or likelihood is small. It can also be done for risks where the cost of managing that risk is higher than the impact.
For example, a company may say that it is accepting the risk of a super-typhoon wiping out its Hong Kong sales office; the impact is potentially high, but the likelihood is somewhat low. There are already controls for normal typhoons and the sales functions aren’t critical to company operations, so for now the risk is accepted.
When doing risk acceptance, the ISMS committee must be very explicit about documenting what they are accepting and why. The criteria for accepting risk should also be formalized, so that auditors and other interested third parties can review the decisions. To an outsider, risk acceptance can look like negligence to customers, auditors, or regulators. If something goes wrong on a risk you’ve accepted, then you really better be ready to deal with the consequences. Be very sure about your impact calculation. Lawsuits and failed audits are not pleasant experiences.
The ISMS committee should track and review accepted risks at least annually. Risks can change for a number of factors, both internally and externally, and the ISMS committee should revisit and re-decide on the risk acceptance.
Lastly, once a small risk is accepted, there is a tendency for people to think that a precedent is set and all similar small risks should be automatically be accepted. Remember risk is cumulative, like drops of water in a bucket. The more little risky things you accept, the more risk you take on as a whole. A lot of little risks are as bad as one big risk. Don’t fall into the trap of saying “We allowed this thing, so we might as well allow more like it.” It all adds up. If you’re doing quantitative risk analysis, you can calculate this cumulative risk.
Risk Elimination
There have been times when an organization did a risk analysis on a particular process and decided to drop that process entirely. The risk could simply be too high and the cost of reducing that risk just not worth it. Maybe the process is not that critical to the organization. In some cases, the organization may find a way to redesign or reorganize the process so the risky functions are no longer performed. Perhaps the process could be folded into another function, and the risk moved that way.
This kind of work can involve research, experimentation, thorough analysis, and imagination. Moreover, sometimes the resulting product does not reduce the risk in any significant way. Systems interact, both internally within the organization, and externally with the outside world. Risks almost never live in isolation and solutions can sometimes produce newer and bigger problems. In any case, risk elimination means that this particular risky process and its assets are shut down and with them, the associated risk. From an IT security perspective, this is the optimal solution. Unfortunately, the organization may have different priorities.
Risk Reduction with Controls
This is the most common choice that people make when confronted with risk. It’s likely that your organization is already trying to reduce perceived risks with controls. It’s become automatic to install firewalls, passwords, and antivirus for IT systems. It’s a suboptimal solution because the risk is rarely reduced to zero, but it’s the generally accepted solution and is often good enough. Let’s revisit the sample table of risks for Puget Regional Bank. In the analysis, several risks were not reduced enough by controls:
Application attacks against the database and customer records
Insider theft or sabotage against the database and customer records
Physical theft or damage of the database and customer records
Accidental data leaks of the database and customer records
Defacements of the corporate web site
The ISMS committee can now propose new control projects for these risks. At this point, the ISMS committee does not have to select a particular control. It merely needs to decide that someone owns the project of reducing this risk through controls. The committee usually assigns these controls projects to the CSO to oversee, with the various departments doing the work. This is probably a good time for another RACI diagram. In Table 7-4, I present a different format of RACI diagram, breaking things down by risk.
Table 7-4. RACI Diagram of Top Risks
Risk | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
Application attacks | Developers | CSO | Database owners | ISMS committee |
Insider theft | IT | CSO | HR | ISMS committee |
Physical theft | Facility security | CSO | IT (owns the server room) | ISMS committee |
Accidental leaks | IT | CSO | Users | ISMS committee |
Defacements | IT | CSO | Marketing (who owns the web site) | ISMS committee |
Often a risk can be reduced by using many different types of controls. It may take some work to determine which control works best in your organization. For example, with the Application attack, risk against the database could be reduced by hardening the software with the programming work done by the developers (as shown in the preceding example). Alternatively, perhaps IT could install an application-aware filtering firewall or proxy in front of the database to stop attacks before they get there. For the physical theft risk of the databases, facilities could add better door locks or IT could implement database encryption. An ISMS sub-committee may have to do a bit of work to find a solution that is acceptably efficient and effective. Control design is covered more in Chapter 12.
Risk Transfer
There is actually a fifth option, which is a hybrid of risk elimination and risk reduction: risk transfer. For a risk transfer, you transfer either the impact or risky activity itself out of your organization. Many companies choose to outsource their payment card operations for this reason. They haven’t fully eliminated the risk, because their customers will still be angry if hackers steal their credit cards. However, the outsourcing company can be contractually bound to pay for the damages if this happens. The trick is estimating the impact so that the party taking on the risk transfer can properly compensate you. You also can try to transfer to a third party that could lower the likelihood of the risk occurring as well. A third party payment card hosting company will likely have better controls in place than in this area and (hopefully) be fully PCI DSS compliant. So you can hope that not only is the impact transferred, but the likelihood has been reduced by superior controls.
Another way to transfer risk is to simply buy cyber-insurance against the risk. There were already many insurance options for disaster related IT risks. Now many hacking or data breach risk premiums are available. Be warned however, insurance companies may interpret a covered loss much differently than you might. You should make sure that your policy really covers what you think it does before you consider a risk transferred. In addition, many insurance underwriters perform an audit much like we are describing in this book of your organization’s IT security program to calculate the cost of your premiums. Depending on the risks and the state of your organization, you may not save much money.
Documenting Risk Treatment
Once all of this done, the ISMS committee should document their proposed risk treatments. For each risk listed, the ISMS committee needs to commission a plan. Revisiting our risk list from Puget Regional Bank, let’s make a new table. Here in Table 7-5, we see the ISMS committee has decided to transfer the risk of physical theft by moving the servers to a co-location facility. They have also decided to accept the risk of insiders as the nature of the system makes controlling that risk prohibitively expensive.
Table 7-5. Sample Risk Treatment Table
Risk | Asset | Treatment | Description |
|---|---|---|---|
Application attacks | Database and customer data | Controlled | Developers recode app to reduce vulnerabilities |
Insider theft | Database and customer data | Accepted | Cost and complexity of controls too high (see attached report), IT reduces access to only core team, access logging provides audit trail, ISMS committee revisits this risk in three months |
Physical theft | Database and customer data | Transferred | IT has a project (see attached plan) to move servers to Glenda ISP secure colocation facility |
Accidental leaks | Database and customer data | Controlled | IT installs a data leak prevention tool to scan for customer data in e-mail |
Defacements | Customer-facing web site | Controlled | IT performs regular vulnerability scans and patching |
Statement of Applicability
As we noted earlier, the formal ISO 27001 standard requires a document called a Statement of Applicability(SoA). This looks a lot like Table 7-6, except it focuses on controls instead of assets, so make control reference the first column. The SoA is a why-we’re-doing-this strategy (and in some cases, it’s a why-we’re-not-doing-this) document with the respect to controls. You create it by going through a list of best practice controls and map risks and requirements to them. Table 7-6 is an example based on Table 7-5.
Table 7-6. Sample Statement of Applicability
Control | Risk | Compliance | Effectiveness | Justification/Description |
|---|---|---|---|---|
Security requirement analysis and specifications | Application attacks against database and customer data | SOX, GLBA | Deficient | Developers will recode app to reduce vulnerabilities |
Administrator and operator logs | Insider theft of database and customer data | GLBA | Insufficient | Cost and complexity of additional controls too high (see attached report), IT will reduce access to only core team, access logging will provide audit trail, ISMS committee revisits this risk in three months |
Equipment protection | Physical theft of database and customer data | GLBA | Insufficient | IT has a project (attach summary of a plan) to move servers to GlendaNet’s secure colocation facility |
Electronic Messaging | Accidental leaks of database and customer data | GLBA | Insufficient | IT will install a data leak prevention tool to scan for customer data in e-mail |
The ISO 27001 standard strongly encourages you to use the ISO 27002 list of security techniques as your best practice controls list, but it’s not an absolute requirement. ISO 27001 does require you to explain, formally, why you aren’t using a particular control in their best practice list. For example, say you intend to use the PCI DSS as your list of controls in your ISO 27001 (killing two birds with one stone), you need to either include the controls in ISO 27002 that are missing from the PCI DSS or write a few paragraphs for each missing control justifying why you’re not using it. The most commonly acceptable reason is that the controls would apply to a non-existent or unscoped process. No auditor is going to be satisfied with you saying you’re not doing a control because it’s too expensive or too difficult to implement. That starts to smell like negligence.
Check: Monitor and Review Security Program
This being the world where you should assume breach, it’s unlikely that a control will reduce a risk to zero. Therefore, once the controls are implemented and running, they should be monitored for effectiveness and appropriateness . These are two different measures. Effectiveness measures how well a control is functioning within the organization. Appropriateness is measuring how much that control actually reduces risk. Often people make the mistake of only measuring effectiveness, but not looking at what the outcome of the risk reduction effort. For example, “In the past three months, we have reduced our malware infection rate by 20% (appropriateness). Our antivirus control is now active on all servers, based on the Q2 internal audit (effectiveness).”
The committee can compare these measures against the actual cost of a control to determine if the control should be replaced or the risk treatment changed. This is explored in much more depth in Chapter 22 on internal audit.
Act: Maintain and Improve Security Program
The last step in the cycle is for the committee to adjust the ISMS based on the information found during the Check phase. The goal is continuous improvement of the security program—improving not just the effectiveness and appropriateness of the controls, but also reducing the cost of controls. Anything can be adjusted not just controls but scope and goals. This is covered in more detail in Chapter 24.