The Convergence of IT Security and Enterprise Risk Management: A Security Professional’s Point...

SECURITYCONVERGENCE

AND ERMThe Convergence of IT Securityand Enterprise Risk Management:A Security Professional’s Point of View

The Convergence of IT Security and Enterprise Risk Management (ERM): A Security Professional's Point of View

© 2009 The Alliance for Enterprise Security Risk Management. All rights reserved.

The Alliance for Enterprise Security Risk ManagementTM (AESRMTM, www.aesrm.org) is a partnership of two leading international security organizations, formed to address issues surrounding the convergence of traditional and logical security. About ASIS ASIS International (www.asisonline.org) is the preeminent organization for security professionals, with more than 36,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities and the public. By providing member and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine—Security Management—ASIS leads the way for advanced and improved security performance. About ISACA With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager® (CISM®) designation, earned by more than 10,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT™ (CGEIT™) designation. Disclaimer The Alliance for Enterprise Security Risk Management (AESRM), www.aesrm.org, has designed and created this publication, titled The Convergence of IT Security and Enterprise Risk Management (ERM): A Security Professional’s Point of View (the “Work”), primarily as an educational resource for security professionals. AESRM makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.



Reservation of Rights © 2009 The Alliance for Enterprise Security Risk Management. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without prior written authorization from AESRM. Reproduction of selections of this publication, for internal, noncommercial or academic use only, is permitted and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. AESRM Member Organizations ASIS International 1625 Prince Street Alexandria, VA 22314, USA Phone: +1.703.519.6200 Fax: +1.703.519.1501 ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008, USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: [email protected] Web site: www.isaca.org The Convergence of IT Security and Enterprise Risk Management (ERM): A Security

Professional’s Point of View Printed in the United States of America Acknowledgments AESRM wishes to recognize Emil G. D'Angelo, CISA, CISM, Bank of Tokyo Mitsubishi UFJ, USA Eduard J. Emde, CISSP, CPP, RSE, Interseco, The Netherlands. Anne T. Ferraro, CISA, CISM, Information Risk and Business Resiliency, JP Morgan Chase &

Co., USA Dave B. Morrow, CISM, Secure Business Operations LLC, USA Jeff M. Spivey, CPP, PSP, RiskIQ, USA The Author Joerg Fritsch is the engineer of communication and information security at the NATO C3 Agency in The Hague, Netherlands. Before joining the NATO C3 Agency, he was involved in e-commerce applications and their security. Over the last 10 years, he has published two books and numerous magazine articles on IT security, TCP/IP, load balancing and other subjects. He is currently studying for an MBA degree.



Introduction During IT security’s formative years, practitioners often found themselves at odds with the business customers they served. IT security was frequently viewed as more of an impediment to business than an enabler; it was the bad-tasting, but necessary, medicine that had to be taken for reasons most business leaders did not fully understand, but grudgingly accepted. Of course, the security practitioners had as much, if not more, to do with this image than their business counterparts. Their focus on security technology, and mitigation of risks for technology’s sake, often alienated those to whom IT was a black box that seemed to cost more than its perceived value. Even today, there remains a wide gulf between those well-versed in IT and those who are not; 10 years ago it was a chasm. Nevertheless, a number of factors within the business world have brought IT security out of the data center and into the boardroom. With this shift, IT security practitioners have found themselves needing to learn to express themselves in terms that are meaningful to business leaders and in alignment with the broader enterprise risk management (ERM) activities. IT Security Fads Over the Past 15 Years On paper, the mission of IT security has been aligned with business objectives and strategy since the early 1990s, when it first began to truly differentiate itself as a discrete discipline within IT. In practice, however, IT security grew up through the latter part of that decade (and even into the initial years of the 21st century) with a technology-centric self-image, seeing its primary mission as creating boundaries and “checkpoints,” with a particular focus on network perimeter defense. Each year new stand-alone perimeter security products hit the market: intrusion detection systems (IDSs), intrusion prevention systems (IPSs), application/XML firewalls, content filters, etc. Of course, IT security managers eagerly implemented them, putting their money and resources into protecting against every possible perimeter vulnerability. Clearly, this myopic focus on building perimeters was not generally conducive to the free flow of business operations and processes. Many, if not most, business customers, as well as other areas of IT, viewed IT security as a necessary evil that was sure to delay or hamper any project or program it touched. In recent years, however, as the security profession has matured, IT security professionals have begun to shift their focus to achieve better alignment to business objectives and have even begun articulating risks in a manner that the business can understand. Gone are the days of black box security teams that jump to buy every new technology purported to protect against even the most obscure threat. Indeed, the business is asking increasingly hard questions about security requirements, the true nature of the risks cited and expected return on investment (ROI) on new security technologies and processes. On the other hand, information security managers are now embracing a more business-focused risk management perspective; they are more likely to solicit the involvement of other IT and business stakeholders as they seek to better understand and protect business information and processes—not solely IP addresses. In short, information security managers are now much better prepared to articulate and approach—in business terms—the risks associated with their specific discipline. This equips them to align more effectively with the broader set of enterprise risks (figure 1).



As IT security has matured and become more business-oriented, a concept of increasing interest is the convergence of IT security with other related enterprise entities, such as privacy, physical security and ERM. This publication focuses on the convergence of IT security with ERM, and how typical IT security skills and techniques can be applied to ERM.

Convergence and ERM Defined First, it is important to address the ambiguity of the word “convergence.” Among security officers, the perceived meaning of convergence lies somewhere on a continuum between “cooperate” and “merge.” The point selected on the continuum may vary for any number of enterprise or even personal reasons, but it is to be hoped that the decision is based primarily on the business requirements of the enterprise. For the purpose of this publication, Tyson’s definition of convergence will be used:

Security Convergence is the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.1

Another ambiguity is the definition of ERM. According to theory, ERM should harmonize (or coordinate) all risk management activities within an enterprise. Miccolis defines ERM as a “coordinated approach to assessing and responding to all risks that affect the achievement of the organization’s strategic and financial objectives.”2 Most important—from the security professional’s perspective—is what ERM is seeking to 1 Tyson, D.; Security Convergence: Managing Enterprise Security Risk, Elsevier/Butterworth-Heinemann, 2007 2 Miccolis, J.A., et al.; Enterprise Risk Management: Trends and Emerging Practices, Institute of Internal Auditors,

USA, 2001

Figure 1—IT Security “Fads” Over the Past 15 Years



accomplish in the enterprise, which language the ERM team speaks and which units of measure are meaningful to the broader audience of business stakeholders. Lingua Franca3 for ERM The key challenge to successfully integrating an IT security program into a broader ERM initiative is ensuring that the information being provided is expressed in language that is understood by the enterprise stakeholders. Typically, IT practitioners offer up such risk items as potential impacts of viruses and malware or loss of system availability, without necessarily connecting those events back to actual business impact. These technically phrased risk descriptions are generally not very helpful to the ERM process. Figure 2 provides some ideas on how success factors and business objectives can be mapped to IT security risks.

Figure 2—Cascading of Critical Success Factors Into IT Security Risks

Business Objective IT Assurance Objective IT Security Risk Critical Success Factors Better customer loyalty index

Mobile sales force equipped with offline customer relationship management (CRM) database

Leakage/disclosure of CRM data at rest

Increased sales and customer retention

Reduced outage hours per month Planned outages (hrs) vs unplanned outages (hrs)

Minimized turnaround times for reconfiguring filters

Infrastructure risks

IT security platform not sufficiently aligned with business requirements

Minimized problems and waste

Number of overdue responses

Reduced amount of spam and internal notifications

N/A Efficient communications

Staff turnover, number of applicants for employment

Increased distribution of mobile equipment and development of a personal use policy

Dual use of equipment: personal use and business use

Increased staff satisfaction and effort

Fortunately, in recent years, thinking has begun to change among IT security and information assurance managers (figure 3), shifting from a focus on traditional technically oriented security risks to a much broader view focused on enterprise risks.

3 A language systematically used to communicate between persons not sharing a mother tongue.



Figure 3—Shift of IT Security Risks From IT Risks to “Real” Enterprise Risks

However, traditional IT security risks, such as e-mail virus attachments, Trojans and hackers probing the network, remain the primary focus in many enterprises. This is due, in great part, to the well-oiled IT security industry marketing engine that continues to focus attention on the same set of technical security risks—familiar to everyone from the custodian to the CEO now that there is an Internet-connected personal computer in nearly every household). In practice, state-of-the-art countermeasures and safeguards in the network and embedded in operating systems mitigate the majority of these commonly cited vulnerabilities, significantly reducing their threat. This is not to say that there are not IT security risks that carry significant potential impact. However, there are many risks that carry far greater potential impact to the enterprise objectives. A few examples are: Physical risks (originating from theft, terrorism, accidental or intentional damage, water, fire,

etc.) Logical risks (originating from data corruption, interface errors, etc.) Infrastructure risks (failure of technological platform to align with business strategy and goals,

delayed adoption of new technologies) Human error

Interestingly, the Verizon 2008 Data Breach Investigations Report attributes 62 percent of all breaches to significant errors.4

4 Verizon Business Risk Team, 2008 Data Breach Investigations Report,

www.verizonbusiness.com/resources/security/databreachreport.pdf

IT as “tool” IT as “toy”

Broader view of IT security: • Information assurance • Disaster recovery • Business continuity • Data loss prevention IT security focusing on traditional IT threats: • Viruses • Malware • Misuse • Attacks from the Internet Advent of Internet, IT without security



While most of the aforementioned risks are quite familiar to the enterprise and have sufficient historical data to allow for fairly accurate frequency and financial impact mapping, the types of risks tracked by information security are not always so easily articulated. By nature, technical security risks are often difficult to express in discretely measurable financial terms. Technical security managers need to find a middle ground so that the risks they document, while necessarily expressed in qualitative terms, still carry sufficient meaning to provide actionable information to their business customers. Contributing to ERM Without Having Numbers: Do a Cyberdragnet Investigation Although, in the end, everything has a cost attached to it and thus must eventually be measurable in financial terms, it is possible to contribute to ERM on a purely qualitative basis. By defining IT security and information assurance as a transformation system (figure 4) where the plethora of log entries of the actual technical safeguards serve as input, it is possible to produce a considerable amount of “business” intelligence and profiles. This information can then be applied in the decision-making process. Examples include: Evaluation of the effectiveness of the implemented controls Typical frequency, format and size of virus e-mails Geographic origination site of port scans, probes and attacks on the network perimeter Correlation of incidents with time, announcements of business decisions, announcements of

new products, etc. Identification of situational factors (e.g., for human error)

Figure 4—Definition of IT Security as Transformation System Eventually Producing

Business Intelligence

The profiles that might be found can sometimes be more useful than the actual numbers behind them and can, in practice, be more relevant than the previous examples. Using Knowledge Management and Optimization to Find and Organize Interesting Risks The Venn diagram in figure 5 (the risk assessment graphic on the right) suggests that ERM is happening in areas where all key concepts of security (traditional security and operational risk management, financial risk management and IT risk management) have common factors. The problem is not to identify common factors, but to judge their relevance. Only those common factors that are relevant for achieving business objectives or generating competitive advantage can be tagged as “ERM-ready.”

Input • Portscans • Theft, lost data • Attempted breaches • Traditional risks (viruses, malware) • Attacks

Transformation

IT security

Information assurance

Output

Statistics

Business intelligence



Figure 5—Position of ERM Seen From a Technical Perspective

Experience suggests that certain disciplines/roles have a habit of not questioning common factors. Typical IT leaders assert that the building and physical premises are secure, the money to support the IT infrastructure and projects is available (if agreed in the budget plan) and salaries are getting paid on time. How might the assertions of the other sides look? Finance and senior management might assert the safety of their data. Traditional security might assert the availability of closed circuit television (CCTV) based on Internet Protocol (IP) networks and so on. The risk assessment graphic of Figure 5 also shows an interesting view of the position of IT (security) that has been adapted from Gonzalez-Castillo’s paper on the taxonomy of security.5 Interestingly, in this visualization IT security has moved from merely being on set to being “the center of everything,” whereas ERM has become the encompassing framework. Another, more outcome-oriented approach that will afford a better grip on the relationship among the three areas of risk management is the development of a taxonomy scheme/tree. The example in figure 6 is based on the table in figure 2. The key is to limit the number of categories to no more than five (at the very maximum) and keep the number of different keywords within a category as low as possible. Keywords such as “sales,” “increase” or “communication” can then be used to browse the resulting tree by use of filters on the spreadsheet. The taxonomy in figure 6 could be further improved by adding references that map the defined relationships to applicable sections of the ERM policy. Most enterprises should already have a similar model in use for cascading enterprise objectives into departmental and individual objectives. That model can be readily adapted to this purpose.

5 Gonzalez-Castillo, O.Y.; “Taxonomy of Security,” European Biometrics Portal, 2005,

www.europeanbiometrics.info/images/resources/66_470_file.pdf



Figure 6—Usage of Taxonomy for Cascading Critical Success Factors Into Interesting IT Risks

ERM as Advocacy ERM is a welcome innovation that (according to AESRM)6 initially produces a common security manager while the disciplines and subject matter expertise remain separated by lines of responsibility. It is then up to the appointed ERM manager to determine how this new approach can be implemented. In manufacturing industries, leaders tend to take the implementation of an innovation or a new product (idea) much more seriously and first ask whether operations can deliver/produce the new goods. With security and risk management it often seems as if we are looking only at Basel II, International Organization for Standardization (ISO) 2700x, Committee of the Sponsoring Organizations of the Treadway Commission (COSO) and IT Infrastructure Library (ITIL) and we limit our implementation strategy to finding mappings on that particular set of guidance. Instead, we should take our cue from figure 1 and become aware that the self-image of IT security has changed, and this needs to be reflected in broader organizational risk management processes. This concept must be championed by line management and communicated to the IT heads who refuse to change the attitude that worked so well in the 1990s. We need to better communicate our visions and educate employees to get them into the big picture of ERM. One new position at the top of the hierarchy and blueprints is simply not enough. Conclusion Seven instructions for IT security practitioners to express themselves in terms that are meaningful to business leaders in alignment with the broader ERM activities are to: 1. Create a universally accepted definition of convergence and ERM. 2. Learn the language of the ERM role. 3. Map broader IT and business objectives to information security risks. 4. Leverage educated guesswork and personal judgments. 5. Strive for profiles and do regular cyberdragnet investigations. 6. Use common sense when treating traditional information security risks. 7. Make clear the enterprise’s objectives for ERM.

6 AESRM, Deloitte and Touche LLP, “The Convergence of Physical and Information Security in the Context of

Enterprise Risk Management,” USA, February 2005

Sales:

Increase:

Offline availability of CRM database (DB):

Secure data at rest on mobile sales team laptops

Customer Retention:

Offline availability of CRM DB:

Secure data at rest on mobile sales team laptops

Communication:



References AESRM, Deloitte and Touche LLP; The Convergence of Physical and Information Security in the

Context of Enterprise Risk Management, USA, February 2005, www.isaca.org/ContentManagement/ ContentDisplay.cfm?ContentID=36010

Gonzalez-Castillo, O.Y.; “Taxonomy of Security,” European Biometrics Portal, Germany, 2005, www.europeanbiometrics.info/images/resources/66_470_file.pdf

Miccolis, J.A., et al.; Enterprise Risk Management: Trends and Emerging Practices, Institute of Internal Auditors, USA, 2001

Tyson, D.; Security Convergence: Managing Enterprise Security Risk, Elsevier/Butterworth-Heinemann, USA, 2007

Verizon Business Risk Team, 2008 Data Breach Investigations Report, USA, 2008, www.verizonbusiness.com/resources/security/databreachreport.pdf

The Convergence of IT Security and Enterprise Risk Management: A Security Professional’s Point...

Technology

Transcript of The Convergence of IT Security and Enterprise Risk Management: A Security Professional’s Point...