Secured View - Security Organization
Are you a Security Organization?

Large amounts are being spent on acquiring latest security products. But without creating a security organization responsible for implementing the security process this expenditure would be wasted. by Avinash Kadam

In my first article, I had covered the topic 'Why Information Security is important for your organization'. It was followed by a second article, 'Writing an Information Security Policy.' If you've been following this column, you've probably guessed that this article would be about 'Security Organization.' That's because this happens to be the next domain in the 10 domains of Information Security Management System as suggested by BS 7799. I propose to cover each of these 10 domains sequentially, so that anyone interested in implementing the information security management guidelines of BS 7799 would have the necessary background material.

Need for a Security Organization
Information security is now the key concern of all organizations. Large amounts are being spent on acquiring the latest security products. Unless equal efforts are spent on creating a security organization that is responsible for implementing the security process, this expenditure would be wasted.

Physical security in an organization is usually very visible, with a high ranking retired officer from armed forces or police, managing the security. Information security is still a nebulous concept. Information may be stolen, but there may be no trace of the theft, nothing physically missing. Losses suffered due to theft of information may be much more than that incurred due to theft of physical assets. Based on risk assessment, we are usually in a position to measure the consequences of information theft.

For managing information security, we need to follow the 'Plan-Do-Check-Act' or PDCA cycle. Creating an appropriate security organization is part of the planning phase. Security organization also helps us in defining roles and responsibilities of various individuals who would be entrusted with implementing information security in the organization. If we do not follow this process and assume that security is everybody's responsibility, then ultimately, it will be nobody's responsibility.

Who should be part of the Security Organization?
The information security organization must have three levels of hierarchy:

1. Top management - the people who approve the security policy and security budgets; review the security implementation efforts, take note of the effectiveness of various measures and decide on the priorities. Involvement of top management will induce the organization to take security matters seriously.

2. Security management teams consisting of people who have specific security-oriented tasks assigned to them. These teams are the backbone of the security organization. Enthusiasm of these teams will really make the organization security conscious.

3. End users—the success or failure of the security initiative depends on their responsiveness to information security.

The Chief Information Security Officer (CISO) should unite these three levels towards the same objective, of securing the organization's information assets.

Roles and Responsibilities
Each of the levels described above has a different role to play and different contributions to make. Let's look at the roles and responsibilities that could be defined for each of the levels.

Top management: Security Steering Committee (SSC)
Top management has enough on their plate to cope with. But, all the same, they still have to be involved in planning the information security strategies and policy matters. Otherwise, they may not appreciate the business risks of deploying information technology. It is worthwhile to create a security forum or security steering committee, which will meet at least once in three months with a well-defined agenda.

The SCC's responsibilities are:

• Provide management's support to the security process
• Develop security objectives, strategies and policies
• Review the risk assessment reports and monitor the exposure of information assets to major threats and the business impact thereof
• Define the status of various security initiatives
• Review major security incidents
• Approve any major changes to IS security policy

The committee must be headed by the CEO and other members should be various business managers, Chief Finance Officer, Chief Information Officer, Chief Internal Auditor and Chief of Physical Security.

The CISO should be the secretary of this committee. He should be functionally responsible to this committee. Administratively, he should report to the CEO or to the Chief Internal Auditor. This will ensure adequate independence for him to perform his job.

Security Management Teams
Information security is a complex subject involving many specialists. This is not a one-time job performed by a single expert, but needs day-to-day co-operation of the whole organization. The CISO should create a number of teams with specific responsibilities. For some teams, this will be a full time job. For others, this may be in addition to their existing responsibilities.

Security policy owners: The security policies must be authored by persons with good knowledge of business and also IT, in order to make the policies practical and enforceable. Some of the policies will pertain to technical aspects where in-depth knowledge is required. Some policies will involve the Human Resources Department. The CISO has to ensure that each owner/author of the security policy defines an appropriate policy, which meets the needs of the organization. The policies also need to be reviewed at least once every year.

Security maintenance team: This team should consist of hardcore IT/IS technical experts. The responsibility of this team is to understand various security alerts issued by manufacturers or independent security organizations. They should assess the need for implementing the requisite patches after proper testing. This team should also track exploits that could be used to expose the vulnerabilities faced by organizations due to new weaknesses revealed by either manufacturers or various security organizations like SANS, CERT, Security Focus etc. This team should comprise of IT/IS technology experts with specialized knowledge of various security measures. The team should also be responsible for reviewing various logs like firewall logs, intrusion detection system logs and detecting if there has been an attack on the organization.

Security incidence response team: This team should consist of persons who can take decisive action if your worst fears come true. They should decide the steps to be taken in case of an incident/attack/penetration. They should try to identify, isolate and contain the incident to ensure that it does not spread to other devices or units. During the Code Red II attack on organizations, most were not prepared to react to such an incident and many had to shut down services for a few days.

The security incidence response team may also have to liaise with local law enforcement bodies, Internet service providers, and telecommunication bodies for better coordination during a crisis.

Disaster recovery team: The responsibility for making a business continuity plan and a disaster recovery plan lies with the CISO or a BCP manager, if the organization has a separate department for this purpose. The disaster recovery team should be involved in keeping the disaster recovery plans ready and periodically test them so that they are not outdated when needed.

Security training team: The responsibility of this team is to provide security awareness training at all levels in the organization. This team could also be made responsible to prepare do's and don'ts, security awareness posters, security competitions, observing security week, anti-virus day and all such things which keep security in the limelight.

End Users
Information security will only be as strong as its weakest link. Unfortunately, end users could undo the best security efforts. Bruce Schneier, the famous security expert once said, "Amateurs hack systems, professionals hack people." The most effective attacks on information are social engineered attacks. A con artist posing as an authorized person can get any information, including passwords from unsuspecting end users. The victims of social engineering are typically receptionists, telephone operators, computer operators, system administrators and end users.

Other areas of concern are noncompliance of the security policies. Organization may have framed elaborate policies about e-mail, Internet connections and so on, but if end users do not observe these policies, they may put information security to risk.

End users and all in the IT team must be informed about their job responsibilities, the information security policy and the penalties for breaching the policy. Non-disclosure agreements, confidentiality agreements, password secrecy policy etc. should be part of the appointment letter. It is not too late to do this paperwork for existing employees. This will create seriousness about information security and also help if an investigation needs to be done to probe a cyber crime.

CISO
This is a key position to ensure the successful management of information security. The CISO should interact with top management and explain to them the security risks in the language of the business. He should handle various security management teams comprising of technical people. He should also interact with end users and patiently explain to them why it is necessary to follow certain steps, which may slow down the system but make information more secure. In case of an incident, he has to calmly take stock of the situation and take damage control
measures.

The main responsibilities of a CISO are:

• Secretary of the security steering committee: He should prepare the agenda and ensure the follow up of all the issues discussed in this committee. He should report the status of various security initiatives and also major security incidences faced by the organization. He should also prepare the annual information security budget.
• Custodian of information security policy: The CISO is responsible for the information security policy. He should ensure that it is periodically reviewed.
• Maintainer of information security management system (ISMS): The CISO will keep the ISMS up to date with all the procedures, guidelines, baselines and standards properly documented and available to all the concerned people.
• Security risk assessor: The CISO should establish and review the security risk assessment methodology and select appropriate controls for risk mitigation. He should also maintain statement of applicability in case of controls, which are not applicable to the organization.
• Leader of various security management teams: The CISO should guide the security maintenance team, security incidence response team, disaster recover team and security training team.
• Monitor of the compliance with security standards: The CISO should report the compliance or the lack of compliance to the concerned authorities.
• Verifier of the information security asset base: The CISO should define the identification and classification methods and correctness of the information assets.
• Representative of the organization: The CISO should interact with external agencies who could be of help to maintain information security for the organization.
• In-charge of overall security: The CISO should also liaise with the physical security department for safeguarding Information security.
• Reviewer of the security requirements of the third party access.
• Review security requirements in outsourcing contracts.
• Ensure co-operation between external security auditors and the organization: The CISO should ensure rectification of any non conformities observed by the auditors. CISO should obtain and retain the BS 7799 certificate.

Information security management requires good planning of various security measures, proper organization of resources, efficient implementation by competent individuals, and monitoring by the top management on a continuous basis.

Avinash Kadam is Chief Executive - Assurance and Training at Miel e-Security, Pvt. Ltd. He can be reached at awkadam@mielesecurity.com