White Paper - v2.itweb.co.za

White Paper The ESG Information Security Management Maturity Model

By Jon Oltsik, Senior Principal Analyst

July, 2011

This ESG White Paper was commissioned by RSA and is distributed under license from ESG. © 2011, Enterprise Strategy Group, Inc. All Rights Reserved

White Paper: The ESG Information Security Management Maturity Model 2

© 2011, Enterprise Strategy Group, Inc. All Rights Reserved.

Contents

Executive Summary ...................................................................................................................................... 3

The Information Security Management Maturity Model ............................................................................. 3 The Threat Defense Phase ...................................................................................................................................... 5 The Compliance and Defense-in-Depth Phase ....................................................................................................... 6

Security Management Matures .................................................................................................................... 7 The Risk-based Security Phase ............................................................................................................................... 7 The Business-Oriented Phase ................................................................................................................................. 9

The Bigger Truth ......................................................................................................................................... 11 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188.



“Over the past several years there has been a pretty comprehensive maturing of our security processes and organization”

--Director of Information Security, Financial Services Organization

Executive Summary

The Enterprise Strategy Group has been actively following the information security market since 2003. During this timeframe, ESG has undertaken numerous surveys involving thousands of enterprise security professionals and conducted hundreds of interviews with CISOs and other senior security executives. Over the past few years, ESG has noticed change in the information security air. Since enterprises face a much more dangerous threat landscape, they are actively evolving historical tactical security defenses into a more formal information security management framework. Based upon this evolutionary trend, ESG developed a 4-phased security management maturity model. The model described in this white paper:

Begins with a historical look at security management, describing how and why large organizations are where they are today.

Examines why existing security models focused on legacy security technologies and regulatory compliance are no longer able to provide adequate security protection.

Describes a way forward—first with IT risk management and finally by aligning IT risk management with business processes. In this way, security management can provide both effective protection and business value.

The Information Security Management Maturity Model Back in the 1990s, all types of large organizations connected their networks to the Internet, kicking off a revolution in collaboration, communications, and network-based business processes. Unfortunately, these benefits came at a price. When private and public networks intersected, CIOs recognized the need for new types of security defenses—like firewalls, Intrusion Detection Systems (IDSs), and desktop antivirus software—to protect their IT assets from digital security threats. Throughout the intervening years, protecting IT assets has evolved from technology safeguards to a full-time management discipline. Today, large organizations employ Chief Information Security Officers (CISOs) along with dozens of security architects, analysts, and operators. What’s more, security management continues to advance, from a tactical IT task to a strategic set of formal policies and procedures that are tightly integrated into the business. This evolution is captured in the Enterprise Strategy Group Information Security Management Maturity Model (see Figure 1).



Figure 1. The ESG Information Security Management Maturity Model

Source: Enterprise Strategy Group, 2011.

The ESG Information Security Management Model is composed of 4 distinct phases that encompass historical practices and future aspirations:

1. Threat defense phase

2. Compliance and defense-in-depth phase

3. Risk-based security phase

4. Business-oriented phase



“Years ago, everything was focused on functional security technologies. There was no information sharing – it was one big sausage-making machine”

--CISO, Technology Company

The Threat Defense Phase

From the 1990s to the early 2000s, information security was seen as a “necessary evil,” a cost associated with doing business over the Internet. There was no organized cybercrime underground at the time; hackers were generally thought of as brainy teenage social outcasts looking to prove themselves or cause trouble. Given its tactical nature, information security management was a sub-set of IT management/operations and primarily focused on avoiding costly outages associated with major threats like worm storms, DDOS attacks, or web site defacement. Security management activities were centered on:

Protecting the Windows environment. Beginning with the Michelangelo virus in 1992, Windows PCs and servers became the primary target for an onslaught of increasingly virulent viruses and worms. These include infamous malicious code attacks like the Melissa virus (1999), the “I love you” worm (2000), Code Red (2001), Nimda (2001), and SQL Slammer (2003). Increasingly destructive viruses and worms led to the development, procurement, and deployment of a tidal wave of Windows security software from the likes of McAfee, Symantec, and Trend Micro.

Keeping network intruders at bay. During the legacy phase, information security activity was highly focused on keeping hackers from gaining network access or attacking internal resources from the Internet. Enterprises wanted to avoid attacks like the one that occurred in February 2000, when name-brand organizations like CNN, E-Bay, and Yahoo suffered a highly visible Distributed Denial of Service (DDOS) attack taking their valuable Internet properties off-line. As a result of these trends, security investments and management concentrated on the network perimeter with network access rules, gateway devices, and IDS/IPS.

Basic IT operations. Since most malware exploited known Windows vulnerabilities, security managers spent a lot of their time working with IT operations by performing vulnerability scans and patching vulnerable systems.

During the legacy phase, the primary challenge for security managers was dealing with individual threats that had the potential to compromise numerous assets at one time. Maintaining security demanded tight operational processes like scanning and patching thousands of Windows machines on a monthly basis. Organizations that could stay ahead with patch management, firewall rules, and IDS alerts were able to keep security events and operating costs in line.

In general terms, the threat defense phase provided adequate security protection against common hacker attacks and mass-malware distribution but also led to a technology-centric environment featuring “islands” of disconnected security defenses and reactive IT security organizations focused on threat management and IT operations. Since the threat defense phase lacked the formal policies, controls, and auditing needed for regulatory compliance, it was no longer effective for many large organizations.

Table 1. Highlights of the Threat Defense Phase

Objective Key Actions Compelling event driving evolution to next phase

Protect organization from hackers on public networks and common malware attacks

Deploy perimeter network and basic threat defenses (i.e., antivirus software, anti-SPAM, etc.)

New regulations demanded more formal security policies, controls, reporting, and auditing



The Compliance and Defense-in-Depth Phase

Security management was really centered in two areas during the threat defense phase: Windows systems and network perimeters. The focus of security was to protect the infrastructure rather than the information itself. Unfortunately, this left sensitive electronic records – like credit card numbers, social security numbers, and customer data –extremely vulnerable. This led to the unflattering description of “M&M security”–hard on the outside and soft and chewy on the inside.

Recognizing this security exposure, government legislators and industry bodies reacted with new regulations for protecting sensitive data). For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated access controls, user authentication, and data encryption to protect patient health records, while the Payment Card Industry Data Security Standard (PCI DSS) called for firewalls, vulnerability management, and wireless network controls to safeguard cardholder data. Some regulations carried harsh penalties while others mandated embarrassing and costly public disclosure of any data breach incident involving regulated data. This was a turning point for information security management.

Reacting to these regulations, many large organizations were forced into unfamiliar security activities, as they had to:

Create enterprise security policies. Regulations like FISMA, HIPAA, and PCI DSS forced organizations to adopt formal security policies and procedures. While this opened the door for the implementation of industry standard frameworks like ISO 17999/27000, many firms simply codified their existing security practices into a format that aligned with regulatory requirements. This wasn’t ideal but it did help them pass compliance audits.

Develop data security policies and controls. To avoid the embarrassment and cost of publicly disclosed data breaches, many firms scanned their networks for sensitive data, developed a data classification taxonomy, created acceptable use policies and aligned security controls with their most regulated data. They also invested in new technology safeguards like data encryption, multi-factor authentication, and Data Loss Prevention (DLP).

Concentrate on security audits. Preparing for and passing security audits became the dominant security management activity during the compliance-driven phase. This led to a “check box” mentality where security teams spent their days with spreadsheets and compliance forms making sure that the organization was adhering to compliance requirements. As one frustrated Federal CISO commented, “my staff spends about 75% of its time on FISMA compliance.” Getting ready for security audits meant gathering tons of asset, configuration, vulnerability, and log data, finding the relevant information to verify compliance, creating audit reports, and working with auditors during the actual compliance audit process.

Implement specific controls for defense-in-depth. Regulations like HIPAA and PCI DSS also call for direct security controls like log management, application firewalls, or data encryption. As a result, many organizations invested in new security technologies. In some cases these were quite specific. For example, some companies invested in DLP and eDRM solutions to guard against an accidental or malicious breach of regulated data. Many sophisticated IT shops then combined new security technologies with legacy threat defenses to create a layered security architecture.

Regulatory compliance forced organizations to look beyond tactical threats and establish more comprehensive security policies and layered controls. The primary assumption was that compliance demanded new controls and that these controls worked as advertised. This led some enterprises to believe that regulatory compliance and its associated controls delivered “good enough” security – especially for organizations that don’t consider themselves a likely cybersecurity attack target.

In retrospect, many organizations now realize that regulatory compliance and layered defenses are not enough alone. In fact, many organizations find themselves in a counterintuitive position—they are indeed compliant but they are not secure. What’s missing? Situational awareness—data-driven knowledge about IT assets, threats,



“Our security organization was de-centralized, technology-focused, and obsessed with regulatory compliance.”

--CISO, Financial Services Organization

vulnerabilities, and business context that guides security management decisions in real-time. This is where CISOs will focus their attention henceforth.

Table 2. Highlights of the Compliance and Defense-in-Depth Phase


Establish policies, processes, and controls for regulatory compliance. Build layered security architecture as part of this effort.

Formalize policies. Deploy specific security technologies needed for regulatory compliance. Capture security data for compliance audits.

CISOs realize that compliance does not equal security. Closing this gap depends upon situational awareness and responses based upon real data.

Security Management Matures

Aside from the misalignment between compliance and security, a number of other trends are further compromising the effectiveness of existing security policies, procedures, and controls including:

New threats. Alarmingly, new malware variants are discovered roughly every 2 seconds! Why has malware become so pervasive? Cybercriminals have evolved malware development into a formal business process rivaling leading software firms. Specialization included division of labor, skilled development and testing, crowd sourcing, and business partnering. Interestingly, the volume of spam decreased while the number of targeted attacks increased as cybercriminals reach for higher-value targets. Furthermore, sophisticated attacks (a.k.a. Advanced Persistent Threats (APTs)) have become more difficult to detect, can remain dormant for extended time periods, and are ultimately designed to steal valuable information such as Intellectual Property (IP).

New and vulnerable IT innovations. Over the last few years, large organizations have embraced numerous IT innovations including mobile devices (i.e., smart phones, tablet PCs), web applications, server/desktop virtualization, and cloud computing. These technologies are creating new opportunities to drive revenue and cut costs, but their mobility and relative immaturity open the door to a host of new threats and vulnerabilities. With public cloud computing, IT components and critical applications may actually live at a 3rd party site. This begs the question: How can you secure assets when they reside outside of IT’s purview?

More network-based business processes. IT is at the heart of most internal and external business processes, connecting organizations to customers, suppliers, and business partners across the globe. In today’s interconnected world, the notion of a network perimeter is a historical relic.

ESG sensed a change in attitude around 2009, when many large organizations realized that they needed to move security management beyond regulatory compliance alone. This insight is driving the current transition in security management.

The Risk-based Security Phase

Moving beyond regulatory compliance, CISOs understood that they needed a much more accurate picture of the IT assets across the enterprise if they were going to improve their security management effectiveness. They also needed better visibility into IT changes so they could identify new assets, configuration changes, and vulnerabilities quickly and then address them with adequate security controls.



“It’s important to use the organization’s risk and security management to demonstrate value. You have to be able to tell management that you can mitigate $X amount of risk by spending $X amount of dollars.”

--Director of Information Security, Financial Services Organization

There is also a fundamental change in security assumptions. In the past, CISOs assumed that, once deployed, security controls worked correctly and thus offered ample protection. In today’s threat landscape, CISOs must adopt an opposing strategy by assuming that security controls may be vulnerable, compromised, or simply ineffective against burgeoning threats. To cope with these dynamic changes, enterprises began to capture, analyze, and act upon this information, beginning a security management transition into the IT risk-oriented phase.

Just what is IT risk management? From an information security perspective, risk management is the process of assessing the frequency and impact of security threats across the organization and determining the vulnerabilities exposing organizations to each threat.

With IT risk management, threats and vulnerabilities are assessed on an asset-by-asset basis (i.e., business application, server, storage system, network device, etc.). Risk management decisions can then be made depending upon the level of exposure (i.e., threats and vulnerabilities) as well as the asset’s value (i.e., the relative significance each asset delivers in overall business operations).

Armed with these metrics, organizations make qualitative and quantitative risk management decisions such as risk acceptance, risk assignment, or transfer (i.e., transferring potential risk to a third party such as an insurance company) or risk reduction (i.e., mitigating risk by implementing security controls, policies, and procedures).

In this phase, larger organizations also focus on building Security Operations Centers or SOCs, in which teams of analysts seek to leverage the massive amount of data collected as part of compliance and risk management and use it to detect and respond to incidents. The challenge here is making the data useful as compliance data is often insufficient for detecting many types of advanced threats. Advanced threats can also easily evade detection even by sophisticated correlation rules if data analysis is limited to low-level information such as packet traffic. SOCs need to increase “useful visibility” by monitoring higher up the stack with data such as network session analysis or application-level behavior profiling.

Many CISOs have set up elementary processes, procedures, and reporting capabilities for basic risk management but this is just the start. The next step for CISOs is something ESG calls, “real-time risk management” that includes:

Instantaneous knowledge. Given the dynamic nature of both IT and the threat landscape, risk assessments must move beyond predefined intervals (i.e., weekly, monthly, quarterly, etc.). Rather, asset changes, vulnerability assessments, and threat data must be available in real-time. Security tools must correlate this information and immediately report on new types or levels of risks. Security practitioners must be trained to digest these inputs, present them to business managers, and expedite risk management mitigation without delay.

Comprehensive visibility and coverage. IT is composed of a multitude of assets like hardware devices, databases, business applications, and virtual appliances. It is no longer enough to understand a sub-segment of the entire IT portfolio alone or adopt a piecemeal view of the entire IT infrastructure through a potpourri of tools. To keep up with assets and their associated vulnerabilities, CIOs need consistent data, visibility, and alerts across the entire IT spectrum. In this way, CISOs can understand all of the threats and vulnerabilities that exist and how they impact the environment.

Constant controls assessment and adjustment. Security controls don’t fit into the “set-it-and-forget-it” category. Rather, controls need persistent assessment and tuning to ensure that they adequately address new or changing risks.

As they progress into the IT risk-oriented phase, CIOs should measure their organization’s progress based upon metrics like:



“We need to make security a cooperative goal involving the security team and the business units. The security team can’t be responsible for securing the world on its own anymore”

--CISO, Technology Company

1. The visibility quotient. The goal here is to establish a standard for viewing asset, configuration, and vulnerability data across the enterprise. Security management projects should focus on establishing centralized visibility, security tool integration, and data quality/accuracy. Metrics should reflect progress in these areas.

2. Real-time threat and vulnerability data updates. Configuration changes, external threat intelligence, and vendor security alerts that alter IT asset risk profiles should be captured, processed, and then trigger immediate alerts to the security team. CISOs should push for weekly enterprise risk management reports while setting up the communications, escalation, and infrastructure to react to urgent risk management matters within hours.

3. Streamlined remediation cycles. Security operations teams should be measured on their ability to address new risks. For example, emergency patching or new IDS/IPS rules should be accomplished within hours of a risk-increasing event. CISOs should strive to reduce these remediation cycles to hours.

Table 3. Highlights of the Risk-based Security-Oriented Phase


Capture data in order to measure and respond to risks on an IT asset-by-asset basis.

Perform IT assessments, collect and report on risk management data in real-time. Implement risk management dashboards, tools, and alerts.

Rather than IT assets alone, CISOs need to align risks with business processes. Also need to build best practices for emergency response.

The Business-Oriented Phase

As large organizations progress through the IT risk-oriented phase they will have the right data, decision-making process, and security operations model to make intelligent security investments and quickly react to changes within IT. This is certainly a vast improvement but IT risk management still suffers from two fundamental flaws:

1. It is reactive in nature. IT risk management kicks in as a function of IT asset deployment, vulnerability data, and the changing threat landscape.

2. It remains centered within IT. Yes, IT assets are categorized by business value but this doesn’t necessarily align well with business processes.

During this final phase, CISOs must reach beyond IT alone and work directly with business management. The goal? Integrate security into business processes as they are developed and implemented and align security investment and resources with what’s most important to the business itself . This actually demands a new CISO and security team skill set. Security staff must “live” with the business units, understand business processes, and then align security policies, processes, and controls to the business. This may not be feasible for smaller organizations but it is important to understand the objectives here so the security team can make intelligent investments or outsourcing decisions designed for business protection.

To support this, security policies and risk management decisions must be mapped directly to business value. For example, risk decisions should be made on business applications, services, and processes rather than at the IT asset level. When the CEO accesses corporate e-mail on her iPad on a public network, the security infrastructure can react to these inputs by encrypting her e-mail and blocking access to sensitive financial data.



During the fourth phase of the maturity model, CISOs will gauge security management advancement by looking at:

Integration of security and business visibility. Is security inhibiting business processes or creating an environment where employees, customers, and business partners feel like security is simply “baked” into the process? CISOs should master this balancing act by fine-tuning security policies, monitoring security controls, and seeking feedback from business counterparts. This will not be a “one-size-fits-all” effort. Rather, information security management is a function of business processes and risk tolerance. For example, an enterprise with global operations may want to monitor sensitive data access closely while implementing security controls like multi-factor or adaptive authentication and data encryption. To understand the value and impact security has on the business, it is likely that many large organizations will collect data from a multitude of business application and IT sources and employ sophisticated analytics capabilities to assess status and progress.

Tracking security budgets with business results. Security investment should be closely aligned with new business processes designed to drive revenue, improve productivity, or streamline operations. CISOs should be close enough to these initiatives to measure how security policies and controls can help accelerate and protect these programs.

An organizational security culture. As CISOs work more closely with business units, employees should gradually become more educated about information security management goals, objectives, and enforcement. By this time, large organizations should also eschew a focus on information security alone, and think in terms of enterprise Governance, Risk, and Compliance (eGRC). CISOs should see the benefits manifested in lower training costs, more cogent security policies, and fewer accidental security incidents.

Emergency response best practices. In the IT risk-oriented phase, CISOs did a great job of collecting data, reacting to changing threats and vulnerabilities, and taking proactive steps to prevent security breaches. These steps are critical but it is also important to plan for the worst-case scenario. To be prepared for an attack, large organizations need to gain executive buy-in, establish an emergency response team that includes business and IT participants, develop relationships with law enforcement, and build a plan for quarantining critical systems and applications. To minimize the impact of an attack, CISOs must capture data (i.e., log files, flow data, packet capture), establish security analysis/forensic expertise, and test internal processes and skills on a regular basis.

Ultimately, security should improve security data analysis, accelerate workflow, lower operating costs, and increase the speed and effectiveness of event detection/remediation. These are valuable benefits alone but the real advantage comes from aligning security with the business during this final phase. When business managers view security as part of their day-to-day responsibility, CISOs will have achieved their primary goal (see Table 4).

Table 4. Highlights of the Business-Oriented Phase

Objective Key Actions

Transition security focus into eGRC programs and culture throughout the organization. Partner with business managers to secure business processes and planning.

Integrate and analyze business and security data. Align security budgets to business processes. Drive security into the organizational culture. Strive for excellence in emergency response policies and procedures.



The Bigger Truth

The ESG Security Management Maturity Model should be seen as a high-level roadmap for large organizations. Through each phase, CISOs should strive to:

1. Improve data visibility of things like assets, configurations, events, threats, vulnerabilities, etc. 2. Enhance data visibility and analysis to facilitate informed decision making. 3. Accelerate event detection, risk management calculations, controls effectiveness metrics, and problem

remediation. 4. Align security investment with business value.

While these goals may seem obvious, they remain secondary considerations during the first two phases described above. The primary goal during the legacy phase is threat management while regulatory compliance dominates the second phase.

It is clear that a change is underway but ESG still sees some major problems. CISOs often don’t know where to start while business managers tend to view security as an afterthought. By proceeding through this phased information security maturity model, large organizations should have a better understanding of where they are and how to proceed.

Enterprises really have little choice here. Without a better security management model, many organizations are simply “sitting ducks” for cybercriminals and the next round of sophisticated attacks. The journey won’t be easy but CISOs who take the lead can address risks while enabling secure business processes along the way.

20 Asylum Street | Milford, MA 01757 | Tel:508.482.0188 Fax: 508.482.0218 | www.enterprisestrategygroup.com

White Paper - v2.itweb.co.za

Documents

Transcript of White Paper - v2.itweb.co.za