|
With
the emergence of new technology strategies such as Intranets
and Extranets, protection of informational assets has
become paramount. The first step is an enterprise-wide
Information Systems Security Policy. by Rahaju Pal /
Dhawal Thakker
Traditionally,
organizations have relied on policies to communicate
high-level directives from the management. These documents,
once issued, provide top down influence for everyone
in the company—from business units to departments
to individual employees. Furthermore, these policies
typically were developed at one time in the organization's
evolution to capture the current environment. One of
the major challenges for an organization in this area
is the continued growth and adaptation of the policies
to mirror the transformation within the organization.
The fastest area of growth and change within an organization
is Information Systems. With the rapid development and
push toward new technologies, organizations find themselves
striving to maintain current technical environments
with outdated policies. Secondly, with the emergence
of new technology strategies such as Intranets and Extranets,
security and the protection of informational assets
has become paramount.
The first step is an enterprise-wide Information Systems
Security Policy that is consistently enforced even as
business needs change. Unfortunately, most companies
have only bits and pieces of security scattered throughout
the organization. These may make some departments or
individuals feel safe, but they do little to protect
the enterprise as a whole.
To address these needs, PricewaterhouseCoopers has desig-ned
a Security Knowledge Manage-ment system—the Enterprise
Secu-rity Architecture System (ESAS). The idea is to
assist an organization in providing a key security infrastructure
tool. Primarily ESAS is built on PPT methodology (People,
Policy & Technology). Over the period PwC also went
ahead mapping ESAS with COBIT methodology from ISACA
and the guidelines given in ISO 17799.
What is PPT methodology?
 PPT
stands for People, Policy, & Technology. The security
process is a mixture of these three elements. Each element
depends in some manner on the other elements. Also,
issues receive greater coverage when the elements are
combined. The controls environment is greatly enhanced
when these three elements work in concert. A simple
drawing will suffice to illustrate this (see Figure
1). This drawing shows the basic elements and also the
coverage areas.
As you move toward the union of these elements, the
controls environment increases—there is greater
coverage. Let's understand these three elements individually.
People
This core element is the most important. The people
element comprises the people and various roles and responsibilities
within the organization. These are the people that are
put in place to execute and support the process. A few
key roles include senior management, security administrators,
system and IT administrators, end users, and auditors.
Policy This element comprises the security vision statement,
security policy and standards, and the control documentation.
This is basically the written security environment—the
bible that the security process will refer to for direction
and guidance.
Technology This element includes tools, methods, and
mechanisms in place to support the process. These are
core technologies—the operating systems, the databases,
the applications, the security tools—embraced by
the organization. The technology then is the enforcement,
monitoring, and operational tool that will facilitate
the process.
The concept is that each core element could be measured
for effectiveness and coverage. Also, issues can be
measured against the model to determine what controls
coverage for that issue. The objective then is to move
issues into the intersecting areas of the elements—with
the final objective of moving the issue into the middle
area of greatest coverage. As risk issues are identified,
each step to manage the risk will fall into one of the
core elements of people, policy, or technology. If the
issue is resolved with one of the elements, addressing
one of the other elements can enhance this resolution.
As the core elements are added to the controls environment
and utilized in concert, the issue is then resolved
on several fronts. The controls coverage is greater.
The PPT Model
The PPT Model can be illustrated with a few simple examples.
Figure 2 shows the PPT Model with regards to Internet
usage and misuse. Users are educated on the proper usage
of the Internet. The controls environment relies solely
on the user. An Internet usage policy is written to
document proper use of the Internet and the consequences
of misuse. The controls environment now is supported
by two of the three core elements.
 Filtering
software is deployed on the firewall. Now the controls
environment is covered by all three elements. Figure
3 demonstrates when an issue is covered only by two
of the three elements. It also shows the consequence
of a limited controls environment.
The Internet connection is protected by the deployment
of a firewall. Core elements coverage = 1.
The firewall administrator receives specialized training
and develops the skill set necessary to administer the
firewall. Core elements coverage = 2.
The
firewall administrator leaves the organization. The
controls now rely back on just one element—the
technology.
How can the model be used to identify an alternative
solution to Figure 3?
This
is depicted in Figure 4.
The Internet connection is protected by the deployment
of a firewall. Core elements coverage = 1.
The firewall administrator receives specialized training
and develops the skill set necessary to administer the
firewall. Core elements coverage = 2.
Firewall operating standards are written and controls
are documented. Core elements coverage = 3.
The firewall administrator leaves the organization.
The controls environment relies on two of the core elements.
The controls, standards, and technology are documented
so that the skill and knowledge does not completely
leave the organization. Core elements coverage = 2.
From these examples, it is easy to see how the PPT model
can simplify the analysis of a risk issue. If the issue
is broken down into the three core elements, action
items can be determined for each core element. In this
manner, control coverage can be moved from one element
to two, and ultimately to coverage by all of the elements.
The PPT model sounds like a very comfortable proposition
but during actual implementation, CIO's used to get
lost in the framework. This is simplified by the ESAS
tool.
The ESAS repository
ESAS is a Security Knowledge Management tool designed
to bridge the gap between business and technology. It
provides organizations with a centralized repository
of security policies and technical control information.
ESAS allows an organization to effectively communicate
security policies and controls throughout the enterprise,
and provide the key infrastructure for a successful
Information Security program.
 The
major objectives of the ESAS are:
-
Ensure consistency of organizational security objectives
throughout operating units
- Allow
business strategies and goals to drive Information
Security
-
Allow an organization to deal with the changes in
both business initiatives and technology and manage
the risk associated with change
-
Provide a comprehensive set of security policies for
the organization
-
Provide a method to look at information and technical
systems from a Risk perspective
-
Provide the methods to implement security objectives
effectively and efficiently at a technical level
ESAS is built on a unique security model/Framework (explained
below) to provide flexibility in managing the information.
Understanding the Security Framework
PricewaterhouseCoopers' Information Security Framework
provides the overall model for developing comprehensive
security programs. The framework illustrates an enterprise
approach for security.
Key elements, also referred to as the "Four Pillars"
to Information Security, include:
-
Solid Senior Management Commitment
-
An overall Security Vision and Strategy
-
A comprehensive Training and Awareness Program
-
A solid Information Security Management Structure
including key skill sets and documented responsibilities
Within the four "pillars" of the program,
several phases are included.
 The
first is the Decision Driver Phase, which contains factors
determining the business drivers of security. These
include Technology Strategy and Usage, Business Initiatives
and Processes and Threats, Vulnerabi-lities and Risk.
All these combine to form a unique "Security Profile"
of the organization. The "profile" needs to
be reflected in the Security Policies and Technical
Controls.
The next facet of the Information Security Framework
includes the design of the security environment also
called the Design Phase. This is the stage where the
organization documents its security policy, the control
environment and deals with controls on the technology
level. A key element in this process is not only the
clear definition of security policy and technical control
information, but also the "Security Model"
of the enterprise. Information Classifications and Risk
Assessment methods fall under this component. These
processes allow the organization to manage risk appropriately
and identify the risks and values of information assets.
The final facet of the Information Security Framework
is the Implementation phase. This begins by documenting
the Administrative and End-User guidelines and procedures.
These guidelines must be succinct and flexible for the
changing environment. Enforcement, Monitoring, and Recovery
processes are then layered on for the operational support
of the security program. These processes are "where
the rubber hits the road". All the benefits of
the Security Program design and documentation is diminished
if it is not put into effect on an operational day-to-day
basis.
Rahaju Pal / Dhawal Thakker are Technical
Consultants, Operational and Systems Risk Management
Group (OSRM) PricewaterhouseCoopers. They can be reached
at dhawal.thakker@in.pwcglobal.com || rahaju.pal@in.pwcglobal.com
|
|| Feedback
|| Subscribe-
