“Information security provides the management processes, technology and assurance to allow businesses’ management to ensure business transactions can be trusted; ensure IT services are usable and can appropriately resist and recover from failure due to error, deliberate attacks or disaster; and ensure critical confidential information is withheld from those who should not have access to it.” — Dr. Paul Dorey, directory, Digital Business Security, BP Plc., UK
Having been in security for awhile now, I find myself at times mystified how to answer someone when they start asking me the value of security. This is not because I do not have an answer. I can easily go into a long speech about risk management. I enjoy quoting Ron Woerner on how risk management is like the brakes on the corporate car and how “brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner. Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.”
My problem comes when I have to shift perspectives to what that individual might value. Sure, people would like to reduce risk but that might not be in their top ten priorities. There are even folks who might agree with Edwin Starr and feel that security “ain’t nothing but a heartbreaker“. Telling people how they should care, does not persuade them much. Recently, I was asked to explain how a good security management process can result in higher productivity, higher quality, higher satisfaction, reduced risk, cost avoidance, and higher return on investment. Scrunching up one’s face like you just bit into a lemon, as you try to figure out how to compare what might initially appear to be apples to oranges, is not considered a proper response. People dealing with technical issues in security are not often asked how their work can result in higher satisfaction. The truth is, we are all working to produce services or products that the customer will be satisfied with. It is not unreasonable to expect a proper business focused response.
If you ever find yourself in a similar position, let me point you to a few sources that might prove helpful. In order to align a managers priorities with security, it helps to define accepted basic security objectives. In this day of regulations and compliance, the Federal Information Security Management Act of 2002 (“FISMA”, 44 U.S.C. § 3541, et seq.) is a good starting point. For those unfamiliar with FISMA, it is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). This legislation recognizes the importance of information security to the economic and national security interests of the United States, and tasked the National Institute of Standards and Technology (NIST) with the responsibility of providing standards and guidelines. NIST started by creating a common framework and method for categorizing information and information systems, with FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems. The standard was meant to help agencies “identify and prioritize their most important information and information systems by defining the maximum impact a breach in confidentiality, integrity, or availability could have on the agency’s operations, assets, and/or individuals.”
To quote a NIST March 2004 bulletin, In FIPS 199, confidentiality, integrity, and availability are defined as security objectives for information and information systems:
- Confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” A loss of confidentiality is the unauthorized disclosure of information.
- Integrity: “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” A loss of integrity is the unauthorized modification or destruction of information.
- Availability: “Ensuring timely and reliable access to and use of information…” A loss of availability is the disruption of access to or use of information or an information system.
Moving things a little away from the federal government, towards industry, I like to quote from the COBIT Security Baseline 2nd Edition. COBIT is one of those standards business managers are likely to be aware of and it addresses concerns of the business. COBIT’s purpose is to “provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.” What I particularly like about ISACA and COBIT, is that it attempts to show COBIT’s applicability to other standards through documents that map COBIT to these standards:
- COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1
- COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0
- COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.0
- COBIT Mapping: Mapping of ITIL With COBIT 4.0
- COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0
- COBIT Mapping: Mapping of ISO/IEC 17799: 2005 With COBIT 4.0
- COBIT Mapping: Mapping PMBOK to COBIT 4.0
- COBIT Mapping: Mapping SEI’s CMM for Software to COBIT 4.0
- COBIT Mapping to ISO/IEC 17799:2000 With COBIT, 2nd Edition
- COBIT Mapping Overview of International IT Guidance, 2nd Edition
- Aligning COBIT, ITIL and ISO 17799 for Business Benefit
Basically the security baseline document views the security objectives as being met when:
- Information systems are available and usable when required, and can appropriately resist attacks and recover from failures (availability)
- Information is observed by or disclosed to only those who have a right to know (confidentiality)
- Information is protected against unauthorized modifications or errors so that accuracy, completeness and validity are maintained (integrity)
- Business transactions and information exchanges between enterprises, customers, suppliers, partners and regulators can be trusted (authenticity and non-repudiation)
From the “COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1″ document, the table below provides an overview of the value security provides in terms of the control objectives identified by COBIT and the requirements of NIST SP 800-53.
| Coverage of IT Governance Focus Area: Value Delivery | |
|---|---|
| Contribution of COBIT | Contribution of NIST SP 800-53 |
| Requirements of this focus area can be covered by implementing the COBIT processes. Processes with a primary impact on this focus area are: | Requirements of this focus area can be partially covered by implementing various NIST SP800-53 security controls. The control families with a primary impact on this focus area are: |
|
|
| The processes ensure that IT-enabled business initiatives deliver value to the business by proper planning of the implementation, delivery of knowledge to ensure beneficial usage of services and providing a proper support for the services | The processes address value delivery by emphasising security over the IT environment. Without adequate security, the delivery of value to the organisation is negatively impacted. The emphasis is to ensure that the maximum value can be achieved by security enabling business needs. Security can be a value-add, not just a way to mitigate risk. |
ISACA would make the point that COBIT is meant to provide guidance in the entire realm of the governance of enterprise’s IT to “ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.” COBIT ensures adequate governance of the enterprise’s IT security, but it does not provide the detailed security guidance that is provided by NIST SP 800-53. Once you get the mapping down, the NIST documents are basically complementary to COBIT.
At this point, we have established CIA (Confidentiality, Integrity, Availability/Authenticity) as fundamental security objectives. We have added a few additional control objectives and security requirements. Adjusting our focus completely towards business, we can pull information from Mike Rothman’s very good book, “The Pragmatic CSO.” Mike is the President and Principal Analyst of Security Incite. In his book, Mike does a great job of refocusing security on business. We often get too wrapped up in the technology of security. The job of security, in a nutshell is to protect the assets of the organization and ensure that business can operate. As Make says, it is not about technology, it is about business. The book outlines five basic reasons to secure are:
- Maintain business system availability
- Protect intellectual property
- Limit corporate liability
- Safeguard the corporate brand
- Ensure compliance
For more details, please see Mike’s book. You are now well on your way to being able to explain to management, no matter what their priorities, how security can help the business. Base your response on the fundamental security objectives discussed above and utilize the mapping documents, such as those produced by ISACA for COBIT, to align these objectives with the business goals.
In the upcoming posts, I am going to write more practical focused implementation directions for open source software that will help deal with confidentiality, integrity, and availability of a system.
