CHAPTER 8

Approaches to Implementing Information Assurance

In implementing an information assurance program, the approach taken also plays an important role. Organizations can use a top-down or bottom-up approach to implement and execute information assurance.

Selecting a suitable approach depends on an organization’s requirements. Sometimes a hybrid is the right decision. For example, a large multinational organization with branches in different countries might select a top-down approach to match general corporate security requirements, while the bottom-up approach is used at the same time to meet local security requirements within specific economies.

This chapter focuses on the key components of an information assurance implementation followed by a discussion of the levels of organizational controls. It compares the top-down and bottom-up approaches and indicates when a particular approach is more suitable. Of course, organizations should always consider the different views when balancing information assurance against the cost of implementing it.

Key Components of Information Assurance Approaches

Any approach to information assurance should ensure effective interaction of the three key components of information assurance mentioned earlier in Chapter 2.

      • People

      • Process

      • Technology

People are a challenging and crucial resource that need management. By applying the right processes and technology, people add value to organizations. When implementing the technology and operating the processes, an organization should have trained the right employees to maximize the efficient use of the technology. Awareness, training, and education (AT&E) are key to making information assurance work.

Process refers to the use of a formalized sequence of actions to achieve an aim. For example, recruiting new employees has its own process beginning with the advertisement stage and ending with the actual hiring. As an organization matures, processes or procedures should become more efficient and discriminating over time. Legal, regulatory, and contractual requirements and obligations are matters that should be weighed in terms of their impacts to current processes.

The technology component requires examining the hardware, software, and physical facilities to ensure better operations and execution of the computer security processes. Large organizations may spend money for operational problems created by implementing technological solutions without a plan. However, smaller organizations do not have the same resources. Therefore, it becomes riskier when you make an inappropriate selection. An organization should ensure the hardware or software purchased is cost-effective, meaningful, and useful.

Strive to achieve a balance between the three key components of people, process, and technology. Hence, when determining whether a top-down or bottom-up approach is more suitable, you should consider the total cost of ownership (TCO) and associated return on investment (ROI) of either approach with regard to the three components.

A common approach for those beginning to implement an information assurance capability is to focus on technology. This often leads to the purchase of several information assurance tools such as vulnerability scanners, penetration testing systems, and intrusion detection systems. The initial cost of these investments is often substantial, and the technology will require maintenance over the years. What has been achieved? The organization now has freshly installed tools that are already becoming obsolete but no people trained to operate them. The organization has neither built relevant policies/procedures nor determined how these new tools will affect the business. This is an example of a high total cost of ownership with a low return on investment because of a focus on technology over people and process.

Another approach could include hiring information assurance employees, directing them to write policies, standards, and procedures for the secure handling of information, and having them perform a risk assessment. Using the results from the risk assessment, the organization could then determine the best requirements for technology. Purchase technology that meets a specific need of the organization (such as encryption for the banking or healthcare industry) and targets a specific risk. Now the risk of a breach (which can be extensive in terms of monetary and reputation loss) is reduced through procedures and technology. The total cost of ownership is likely similar to the first example, but the return on investment can be measured and is likely quite high in this example.

Implementing information assurance using a top-down or bottom-up approach also depends on management’s preference for culture. Before comparing the two approaches, understand the various levels of controls found in an organization. Small and simple organizations often rely on cultural norms to establish behaviors. This approach can be top-down if an organization’s leadership is exceptionally strong; however, most often culture is found to be a driving force from the bottom up. Culture can effectively replace policy if used correctly and the same values and strategy have been instilled in every employee. Policies and procedures are often found in organizations that are large, multinational, or complex in their operations. Policies require effort to maintain, create, and negotiate; however, they set an immutable expectation by which the organization is expected to perform. Policies can shape cultures both positive and negative. If policies are not enforced and do not reward those who follow them, the organization’s culture and practice will soon be to ignore the policy.

Levels of Controls in Managing Security

An important element of a security program is the collection of controls that an organization needs to have in place. Because each organization is unique, every security program is different. Every organization has its own risk profile (exposure to unique threats and vulnerabilities), business drivers, and compliance requirements. Even though security programs are different, they are composed of the generic elements shown in Figure 8-1.

Figure 8-1 Levels of controls in an information assurance program

Strategic management includes security processes such as conducting risk management exercises, security awareness programs, policy development, and compliance efforts with laws and regulations.

Tactical management examines business continuity, data classification, process management, personnel security, and risk management. Operational management includes areas of communication security, security of an information system life cycle, and incident response.

It is important to realize input for the strategic plan should not be merely from the CIO, CISO, or CSO (responsible for an information assurance program). Support for an information assurance program should come from senior management personnel in an organization—the board of directors, CEO, and heads of business or IT functions. Eventually, support should come from all employees in the organization. This support can be stimulated by an effective security awareness program tailored to different groups of employees.

Top-Down Approach

In a top-down approach, senior management shows that it takes security seriously and is actively involved in spreading information assurance awareness. They should mandate observation of the information assurance policy. This way, security is not just a matter of technology or an antivirus or firewall solution, which is often a result of lack of awareness in the area of information security. Fortunately, that mind-set is changing slowly because of the rise in incidents such as data theft and hacking. By embracing a top-down approach, security is no longer a purely technical matter.

The first step in implementing a formal top-down implementation is developing and presenting an approved, shared, and documented strategic plan. This document becomes a basic reference for continuous efforts. Prior to implementing security controls from the top and going through all organizational layers, senior executives should know priority areas for control. Once there is a clear understanding of threats and risks to critical assets of the organization, the top-down approach should be developed, approved, and distributed as an information assurance policy. This policy should be endorsed and communicated formally by senior leadership and the organization’s executives.

External security audits are another security matter via a top-down approach. Audits and information assurance policies are closely related. Audits and policy reviews should be performed regularly to check whether established information assurance policies are effective. There are several standards, guidelines, or procedures related to auditing information assurance in the market such as NIST, COBIT, and ISO/IEC 27001.

A top-down approach is characterized by a high degree of control from the head office. It includes the overall strategy of its approach and phases of implementation. This approach encourages integration. It is easier to combine different elements in an information assurance program when it receives demonstrated support from the highest management level.

A problem with developing a top-down strategy is that it takes a longer time for approval. This creates slower decision making throughout the ranks. Since technology advances rapidly, the slowness may lead to poor technical decisions, and the organization ends up using an out-of-date solution. Avoiding this problem through a rapid enforceable decision-making process such as change management boards makes top-down approaches excel.

The top-down approach is becoming predominant because senior management in organizations has become aware that serious personal consequences (such as large fines or even jail time) may result from lack of attention to regulatory compliance relating to information assurance.

Bottom-Up Approach

A bottom-up approach refers to a situation in which a functional department or unit adopts strategic, operational, or tactical management to develop a security program without senior management support and direction (see Figure 8-1). A bottom-up approach is good for areas in organizations that need immediate security attention because of high risk or available budget. Since this approach focuses fully on technology or operational controls, it is more effective by addressing daily operational requirements.

The bottom-up approach is better when there is clear indication that implementers’ resistance to change stems from insecurity such as anxiety about losing jobs because of a potential merger. Linking the elements in a bottom-up approach creates a larger process, part, or system, which is effective for faster integration. In using this approach, the challenge is to gain the support of senior managers to drive process improvement forcefully among subordinates. This poses additional challenges because of managers’ fears of losing respect and authority. Despite the fact that a bottom-up approach may be desirable under certain circumstances, management should be informed about progress and decisions made. ISO 27001 embraces the use of a top-down approach where management’s involvement and oversight are required throughout the security improvement life cycle.

Outsourcing and the Cloud

When outsourcing or using cloud services, a top-down approach to information assurance is mandatory. Senior leadership must set the tone surrounding security expectations of any business partner, outsource solution, or cloud provider. The senior executives and senior leadership of an organization are ultimately responsible for the performance of security functions of their cloud or outsourcing partners.

Organizations have used frameworks by ISACA, the Cloud Security Alliance (CSA), and the U.S. National Institute of Standards and Technology. These frameworks help ask the important security questions when looking at an outsourced partner or cloud provider. Organizations must remember that their information will be subject to laws and regulations of not only their headquarters but also the laws and regulations of the outsourcing partner and cloud provider.

Balancing Information Assurance and Associated Costs

It is imperative for senior management and security professionals to understand all views on security expenditures. Business and revenue-generating activities motivate senior management; therefore, they focus on productivity and activities related directly to it. The fact that it is not straightforward to calculate a return on security investment (ROSI) makes keeping management support more difficult. Early implementation of controls reduces the probability of high losses because of security incidents. Implement new controls once an organization resolves the situation and cleans up the damage.

Prior to applying a top-down or bottom-up approach, an organization needs to analyze the associated factors and costs of protecting information. Factors such as performance, availability, and coverage are part of the analysis. There is a potential for trade-off analysis here; for example, an organization with a higher level of reliance on availability of information and wider control coverage would require a larger investment.

Ideally, the requirements definition process should start from the top. Drive the process by aligning it with the organization’s business objectives. This type of investment is good since it examines the overall information assurance posture of organizations and the immediate controls required. Understanding all business processes is important to ensure that changes in the management or maintenance processes are correctly managed.

Bottom-up investment does not emphasize the prioritized investments for security control. This is certainly the opposite of top-down investment. Making clear decisions based on a bottom-up investment strategy leads to questions about the thoroughness of the review of the organization’s needs. This includes becoming familiar with an organization’s services, products, financial situation, and evaluation reports on previous efforts related to information assurance.

Ultimately, the manner in which an organization approaches information assurance depends on its appetite for risk. Senior management needs to consider the impact to the organization if they do not adequately mitigate risks. Organizations must avoid giving attention and resources to information assurance deficiencies only after a significant issue such as a breach has occurred; be proactive. From a customer viewpoint, organizations should take full advantage of productivity and opportunity by deploying proper controls to ensure continuity and to increase customer trust and usage.

Finally, organizations should protect not only their own and customers assets but also associated brands, networks, and web sites. All online content, communication, and commerce should be protected within every layer of data transmission and storage proportionate to the value of the data. End-to-end security is not only necessary to preserve customer confidence and encourage online usage, but also to avoid regulatory penalties, financial liabilities, and consequential losses. End-to-end security refers to a situation where information from the sender is being encrypted and secured from the moment it is created, stored, and transmitted, until it is received at the destination.

Further Reading

      • Bottom-up Investing in Investopedia.com. Investopedia ULC, 2007. www.investopedia.com/terms/b/bottomupinvesting.asp.

      • Cloud Security Alliance. Cloud Controls Matrix, 2012. https://cloudsecurityalliance.org/research/ccm/.

      • ISO 9000:2000 Frequently Asked Questions. International Standardization for Organization (ISO), 2004. www.iso.org/iso/en/iso9000-14000/explore/transition/faqs.html?printable=true.

      • Rasmussen, Gideon T. Implementing Information Security: Risks vs. Cost. 2005. www.gideonrasmussen.com/article-07.html.

      • Cloud Computing Synopsis and Recommendations. U.S. National Institute of Standards and Technology, 2012. http://csrc.nist.gov/publications/nistpubs/800-16/sp800-146.pdf.

      • Conklin, Wm. Arthur, et al. Introduction to Principles of Computer Security: Security+ and Beyond. McGraw-Hill Education, March 2004.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

      • Tom, P. Data Protection and Information Lifecycle. Prentice Hall, 2006.

      • “Top-Down Approach for Security.” Network Magazine. Indian Express Newspapers, June 2003. www.networkmagazineindia.com/20030h6/is15.shtml.

Critical Thinking Exercises

        1. An organization has never had a formalized information assurance program. What kind of an approach is most likely currently occurring, and what are the advantages and disadvantages of the approach?

        2. An organization operates out of the European Union but wants to use a cloud provider based in the United States to store and process healthcare information about people living in the European Union. What laws, regulations, and rules must the organization be aware of?

        3. An organization currently has a web site that processes personally identifiable information (PII) for a client. A network engineer points out a vulnerability in the web site that will cost $125,000 to mitigate. Currently, the system is operating in the United States, and it would be subject to breach notification laws. What is the best approach to ensure return on investment?