ISACA does a great job of mapping COBIT to other standards. It will be interesting to see how much alignment there is between COBIT 5 and the recent work being done by the National Institute of Standards and Technology (NIST). Just last month, NIST released Special Publication 800-37 Rev. 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” To quote Dan Phillpott over on the Guerilla CISO site, “This document describes the central processes involved in the authorization of information systems that support the federal government. Notice I didn’t say Certification and Accreditation? That’s because C&A is deader than a sheep at a wolf convention. Want to know what replaces it?” Dan suggest picking up a copy of NIST SP 800-37 Rev 1.

Much of the recent focus on risk management is fueled by the need to deal with changing technologies. NIST SP 800-37 rev 1 is not the first NIST document concerning risk management and it certainly will not be the last. Later this year NIST will release SP 800-39 Rev. 1, “Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View” and NIST SP 800-30 Rev. 1, “Guide for Conducting Risk Assessments.” Dr. Ron Ross presented NIST’s view of the next generation of risk management in his talk, “Next Generation Risk Management Information Security Transformation for the Federal Governmen” at the 5th Annual Security Automation Conference.

Quoting from the “Changing Technologies and the Effects on Information System Boundaries” section of NIST SP 800-37 Rev 1.:

Changes to current information technologies and computing paradigms add complications to the traditional tasks of establishing information system boundaries and protecting the missions and business processes supported by organizational information systems. In particular, net-centric architectures (e.g., service-oriented architectures [SOAs], cloud computing) introduce two important concepts: (i) dynamic subsystems; and (ii) external subsystems. While the concepts of dynamic subsystems and external subsystems (described in the following sections) are not new, the pervasiveness and frequency of their invocation in net-centric architectures can present organizations with significant new challenges.

Focusing back to COBIT 5, the planned primary improvements will consist of:

• Aligning COBIT 5 with ISACA’s TGF initiative as well as recent global governmental and market-driven enterprise and IT governance initiatives, such as sustainability and green IT.
• Consolidating COBIT 5 into a single overarching framework and knowledge base, providing one consistent and integrated source of guidance.
• COBIT 5 will be described in a high-level framework publication, providing an explanation of the objectives, scope, format and usage of COBIT 5 and enabling enterprises to strategically plan adoption of COBIT 5 and how to migrate to the new framework.
• COBIT 5 will consist of a set of publications providing:
  • The content of COBIT 5 required for enterprise implementation and assurance activities
  • Focussed guidance publications on functional, responsibility and organisational views to help
    COBIT users with a specific area of interest to better understand how COBIT can support their role.
• Clarifying the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other, and with processes integrating both business and IT responsibilities.
• Aligning with the latest management practices as well as strengthening areas such as decision making, organisational structures, skill requirements, human factors, culture and change enablement. The new structure will be flexible, allowing future ISACA and non-ISACA standards, frameworks, regulations, etc., to be factored in.

If you want to learn more about risk management, a previous post “Risk Assessment: A Starting Point” provides a good starting point with links to some great information sources. Luke O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths“):

ISACA is looking for feedback by the close 12 April 2010. There is also a LinkedIn Group setup by Grzegorz Albinowski where you can discuss and stay informed on COBIT 5 developments.

What I hope people reading Cory’s post walk away with is the recognition that sects exist. We all have various fanatics at each of the organization where we work. Many are good people earnest and true in their desire to do their jobs well. Yet, they could not be more different in their solutions to the problems facing their organizations. They may fall into the high priests or heretics camps, or a dozen other camps.

Let us talk about some of the divisions within IT and security. Richard Bejtlich points out in his post, , “Steve Liesman on Inputs vs Outputs,” two camps. Richard is continuing an argument he previously made in “Controls Are Not the Solution to Our Problem.” He argues that too much time and resources are being spent on auditing controls that are far too input-centric. Instead, Richard feels controls should become more output-aware and recommends directing attention away from inputs and devoting more energy to outputs. Included are some real world examples that management could understand and relate to. Steve Liesman is quoted in relation to our current economic crisis, “It’s not what you’re doing that matters; it’s whether or not it works.” Consider the following questions. Within your security organization, who focuses on controls/inputs and who focuses on output? How much of a division exist between these groups? Where do the auditors fit in?

To point out other divisions within security, take a look at Jeremiah Grossman recent post, “Quick Wins and Web Application Security.” To quote Jeremiah paraphrasing a recent conversation with Joseph Feiman (Gartner):

During an event a panel of Gartner Analysts asked the audience what the best way is for organization to invest $1 million dollars in effort to reduce risk. The choices were Network, Host, or Application security to which the Gartner analysts made their cases for these three disciplines. The catch was the budget could not be shared between them and must be prioritized into a single initiative. The audience selected Application security. However, the Gartner CSO (who took the role of CIO in the play) overruled the audiences’ decision. They instead selected Network security, while at the same time curiously agreeing that Application security would have been the better path. His rational was that that it is easier for him to show results to his CEO if he invests in the Network.

Gary McGraw was recently interviewed by James McGovern for the SilverBullet podcast. They discuss the recent release of “Building Security In Maturity Model (BSIMM).” In the interview, Gary was asked about the leaders of the enterprises that “have a clue in making their security posture better.” While the leadership that helped develop the BSIMM had very diverse backgrounds, James asked, “It sounds like they are all from a technical background at some level. Are there IT executives out there that understand software security that are just business people?” Gary responded, “I don’t know the answer to that. I really don’t know any. I will say this about these people, they are the sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth. Right now it appears that they might be necessary to cause software security initiatives to be a success. Hopefully, we will gain enough experience and write down enough empirical science that won’t be the case in the future.”

It is not a great surprise to learn that a major divide exists between the IT and the business camp. Recent frameworks often include governance components in an attempt to help bridge the gap between the two camps. As an example, the IT Governance Institute® (ITGI™) recently released v0.1 of risk based framework based on the principles of enterprise risk management standards/frameworks such as COSO ERM2 and AS/NZS 4360,3. The framework is called Risk IT. ITGI would argue that existing IT risk guidance documents tend to focus solely on IT security. Risk IT is meant to cover all aspects of IT risk. ITGI also develops the Control Objectives for Information and related Technology (COBIT), which is focused on “providing a comprehensive framework for the delivery of information technology-based services.” Risk IT and COBIT are meant to compliment each other. COBIT is a set of good practices which provide the means of risk management; while Risk IT is meant to set good practices for the ends by “providing a framework for enterprises to identify, govern and manage IT risk.” Recall Richard Bejtlich argument concerning the division between the controls/inputs and outputs.

All these different sects make effective security most difficult. A layered approach to security fails to work when the layers operate in isolation. Gary McGraw gets an “amen!” for describing leaders of the enterprises that understand security as a “sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth.” On top of having an understanding that reaches into areas throughout the organization, they need to be leaders.

Rob Goffee and Gareth Jones wrote an article, “Leading Clever People.” Goffee and Jones will be publishing a book with the same title late in 2009. An audio interview is available from the London Business School. Goffee and Jones conducted over a 100 interviews with leaders at major organizations and report the relationships effective leaders have with their “clever people” can be shaped by seven shared characteristics:

1. They know their worth—and they know you have to employ them if you want their tacit skills.
2. They are organizationally savvy and will seek the company context in which their interests are most generously funded.
3. They ignore corporate hierarchy; although intellectual status is important to them, you can’t lure them with promotions.
4. They expect instant access to top management, and if they don’t get it, they may think the organization doesn’t take their work seriously.
5. They are plugged into highly developed knowledge networks, which both increases their value and makes them more of a flight risk.
6. They have a low boredom threshold, so you have to keep them challenged and committed.
7. They won’t thank you—even when you’re leading them well.

Now you may be thinking, “I am security, not the CEO of the company. I am not even their project manager. Why are you talking about leadership? What should I care about business? If users just did what I told them, life would be good.” It is important to note that a characteristic not listed above is “empathy.” Folks in your organization are not going to try and see things from security’s point of view. They want to do their job and if security appear to be a road block, they will go around. We need to avoid having each sect doing their own thing. As what occurs in many religions, an “us verses them” attitude will develop. If you want people to follow, you must first lead. To lead “clever people” you must understand those people.

James Parker, Southwest Airlines ex-CEO, offers some advice. He has written a fascinating book titled “Do the Right Thing.” One story particularly interesting concerned a manager who didn’t succeed despite being very intelligent and ambitious. “When this person finally left, I asked one of his former employees why she thought everybody disliked her former boss so much. She summed it up: ‘Because he was the kind of person who kissed up and spit down.’ ” When problems arose at American, “the primary focus of communications was blaming and avoidance of blame – in contrast, when something went wrong at Southwest, the focus of communications was problem-solving,” Parker quotes from the book, “The Southwest Airlines Way“.

James Parker and Barbara Stocking, Chief Executive of Oxfam GB, discuss below “Leadership in an Age of Uncertainty” with moderator Deborah G. Ancona. The discussion focuses on the need for distributed leadership. A key point made is that companies need “employees doing things outside the narrow scope of their job responsibilities, to contribute to the success of overall operations.” This is the cornerstone of the concept of “relational competence.”

The world continues to get more complicated. In response, more specialization occurs, which leads to less understanding of other groups. The history of religions have shown us how difficult things can get when various sects develop. In the corporate world communication breaks down, the focus on the mission is lost, and the relational competence of a company dissolves. I started this post with the statement that I come bearing no answers, only questions. While that is true, I have pointed to some very intelligent people who discuss the various sects and offer possible ways to coexist. Security professionals cannot exist in their own camp, separate from the rest of the organization, dictating how people should do their jobs. In such an environment, it will not matter if every pronouncement is the embodiment of wisdom and truth. Failure is inevitable. Abraham Lincoln offered these wise words when he addressed the Washington Temperance Society on February 22, 1842:

If you would win a man to your cause, first convince him that you are his sincere friend. Therein is a drop of honey that catches his heart, which, say what you will, is the great high-road to his reason, and which, when once gained, you will find but little trouble in convincing his judgment of the justice of your cause. If indeed that cause really be a just one.

On the contrary, assume to dictate to his judgment, or to command his action, or to mark him as one to be shunned and despised, and he will retreat within himself, close all the avenues to his head and his heart; and though your cause be naked truth itself, transformed to the heaviest lance, harder than steel, and sharper than steel can be made, and though you throw it with more than herculean force and precision, you shall be no more able to pierce him, than to penetrate the hard shell of a tortoise with a rye straw.

Amen, brother Abraham.

Basic Terminology

A good starting point in developing a risk assessment process is NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” The document provides the following definition:

Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

Frequently risk will be defined as a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability. What should also be included is the resulting impact of that adverse event on the organization.

NIST SP 800-30 contains information on risk assessment and management. Recently, NIST released NIST SP 800-39, “DRAFT Managing Risk from Information Systems: An Organizational Perspective,” which contains a references to NIST SP 800-30 Revision 1, “Guide for Conducting Risk Assessments.” NIST SP 800-30 Revision 1, when it is released, will be the document for risk assessment while NIST SP 800-39 is for risk management.

Michael Smith, the Guerilla CISO, had a posting “An Open Letter to NIST About SP 800-30“. Michael writes “The best thing that you have given us is not the risk management framework, it was SP 800-30, ‘Risk Management Guide for Information Systems’. It’s small, to-the-point, and scalable from a single server to an entire IT enterprise.” I’ll leave it to the reader to view the rest of the post. The point is, NIST SP 800-30 currently is the best document to start with when talking about risk assessment.

The nine primary steps in the risk assessment methodology:

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Now that risk assessment is defined along with which NIST documents contains what, let us talk about risk management. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The risk management process is meant to protect an organization and its ability to perform its mission. It is not just just a technical function carried out by the IT experts to protect IT assets. It is an essential management function of the organization.

Framework

Awhile back, I did a post “Intense Simplicities” which discussed the risk-based protection model verses the policy based compliance model. Several frameworks were discussed and a “Security Mappings” page was developed. Examine the frameworks discussed in the previous post and notice that basically the primary steps in risk assessment can be mapped back into the frameworks. Before developing a risk assessment methodology, consider its place in the whole risk management methodology and the framework of the organization. This allows you to utilize what has already been developed.

IT Governance Institute® (ITGI™) is also developing the IT Risk Management Framework. To quote from Urs Fischer article, “The framework aims to fill the gap between generic risk management frameworks such as the Committee of Sponsoring Organisations of the Treadway Commission (COSO)’s Enterprise Risk Management (ERM) and Australia/New Zealand AS/NZ 4360, and detailed (mostly security-related) IT risk management frameworks. Indeed, the goal of this framework is to allow organisations to understand and manage all IT-related risks (beyond security) and to address all aspects (beyond operational management of IT) when managing risk.

Information Sources

ISACA has made available a great deal of information that can be used in developing a risk assessment process. The following documents are bit older, but open to the world.

• Framing Your Choices: Weighing Three Risk Management Frameworks by Linda L. Briggs

– offers the conclusion that newer frameworks such as AS/NZS 4360 or M_o_R offer a solid route to first understanding and then controlling business risk.

• Risk Assessment Tools: A Primer – the article looks at risk assessment tools, in order to creates a framework of understanding and provides insight into the world of automated risk analysis.
• Risk Without Remorse – the article makes the argument that “by implementing COBIT risk management, the CIO should expect better portfolio management decisions and improved risk-reward communications intra- and interdepartmentwide, as well as a better ROA.”
• Risk and Control Self-Assessment (RCSA) – the article makes the argument that risk and control self-assessment (RCSA) is “a great asset in several phases of the audit process, starting with the risk assessment and development of the annual audit plan or individual audit plans of the area being reviewed.”
• IS Auditing Procedure: P1 IS Risk Assessment Measurement
• IS Auditing Guideline: G13 Use of Risk Assessment in Audit Planning
• Standard for IS Auditing: S11 Use of Risk Assessment in Audit Planing

If you become a member of ISACA, you can access more recent documents involving risk assessment and management. These include:

• A Comprehensive Method for Assessment of Operational Risk in E-banking by George Tanampasidis, CISA, PMP
• Risk Management Standards: The Bigger Picture by David Ramirez, CISA, CISM, CISSP, BS 7799 LA, MCSE, QSA
• Automating Security Policy and Procedures With Workflow: How to Improve the Effectiveness of Risk Management Solutions by Michael Godfrey
• New Framework for Enterprise Risk Management in IT by Urs Fischer, CISA, CIA, CPA Swiss

CERT just recently produced a podcast, “Security Risk Assessment Using OCTAVE® Allegro.” OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services. The authors of the blog site, the RiskAnalys.is, are big advocates of the Factor Analysis of Information Risk (FAIR) Framework. FAIR is meant to provide a framework for understanding, analyzing, and measuring information risk.

Update:Alex Hutton provided some important clarification on FAIR. Alex points out, “FAIR is actually more concerned with the creation of accurate probabilities than how you go about _doing_ an enterprise risk assessment (because there are plenty of cookbooks for that). So FAIR isn’t actually incongruous with use in OCTAVE or 800-30 or any other assessment methodology with a ’scan/prioritize/fix/repeat/’ Deming cycle at it’s core.” Alex also provides a great pointer to the ENISA’s website which includes a comparison of the 18 different Risk Assessment Methodologies. Alex writes, “They are a little obtuse on their definitions of risk and how the 18 ass.meth.’s address their specific world view, but it is an interesting comparison document. I got a big kick out of the monster diagram that was their review decision tree.”

The ISO 27001 Security site has compiled a very nice listing with brief outlines of information security risk analysis methods, standards, and tools. IsecT Ltd., home of the NoticeBored security awareness service, voluntarily maintains the site as a “not-for-profit labour-of-love activity.” They have done a great job of keeping the site up-to-date. The site also makes available a free ISO27k toolkit. The toolkit consists of “a collection of papers contributed by members of the ISO27k Implementers’ Forum, either individually or through collaborative working groups organized on the Forum.” Three documents of particular interest are “Information security risk analysis spreadsheet,” “FMEA risk analysis spreadsheet“, and “Information security risk register.”

I tend to like information sources that are available to the public at no cost. Alex pointed out that Microsoft has put out the The Security Risk Management Guide. Microsoft describes the guide as helping explain “how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.”

After mentioning Microsoft, I feel compelled to point out an open source project. The Security Officers Management and Analysis Project (SOMAP) is a project with the goal to “develop and maintain Open Source Information Security Risk Management tools and utilities.” SOMAP operates on the belief that “Information Security is not a competitive issue and only freely available and cooperatively developed risk management utilities and tools can potentially lead to a better security management and to further development of the whole risk management field.” They have created the “Risk Management Handbook,” “Risk Assessment Guide,” “Security Officers Best Friend (SOBF Tool),” and “Open Risk Model Repository (ORIMOR).” See their site for additional details.

Blogs

A few blog sites where information can be obtained, and questions posted, are:

• Not Bad For a Cubicle: Risk Management made interesting.
• Risktical Ramblings: Assessing, Articulating & Quantifying Information Security Risk by Chris Hayes.
• Security and Risk Management Strategies Blog: Burton Group.
• RealTime IT Compliance: This is Rebecca Herold’s site who specializes in risk assessment, gap analysis, policy content development, awareness training, strategy development and implementation. The few times I have talked with her, she has been real friendly and helpful.

Recent Blog Posts

Below are a few recent blog postings that maybe of interest. The posts were pulled from Google Reader with accompanying blurbs of text.

• Risktical Ramblings: Risk and CVSS … I would encourage anyone reading this to perform their own review of CVSS and how it can possibly augment their own risk assessments efforts. In my opinion, there are some really useful “metric vectors” that provide a simple yet powerful way to analyze a vulnerability.. …
• The Security Catalyst: Refreshing, Reloading, Refueling … My goal in writing the book was simple: present enough information to create a shift in thinking. Beyond that, a keynote, executive seminar and guided system has been developed, tested and refined to further expand on the information in the book, bring it to life and drive results. Part of our journey will be working with organizations (small and large) to implement the tenets outlined in Into the Breach to improve revenue, complete a successful risk assessment, build an awareness program that works or influence a positive change in how people, information and risk are managed …
• (ISC)2 Blog: Proving the Value of Qualitative Risk Assessments … Qualitative risk assessments are a cornerstone security management tool. This type of assessment process is characterized by estimates of asset values, threats, vulnerabilities, and costs from anticipated exposures. Risk management frameworks are a way for managers to determine where to allocate resources when risk is at an unacceptable level ….
• RiskAnalys.is: Relentless Reflection – What it Means in Risk Management … Picking up from yesterday, Today I’d like to talk about: HANSEI – WHAT IS “RELENTLESS REFLECTION?” – And why we’re talking about it in the context of Risk Analysis. Recall from yesterday’s post about how I got to thinking about the concept of Hansei-Kaizen, “relentless reflection” and “continuous improvement” and how we might apply that to risk man …
• bsi: Navigating the Security Practice Landscape … RA risk assessment (5) SA system and services acquisition (11) SC system and communications protection (23) SI system and information integrity (SI) Mappings to Other Standards Appendix G Security Control Mappings provides a detailed mapping of 800-53 controls to ISO 17799 paragraphs. Appendix H Standards and Guidance Mappings provide …
• RiskAnalys.is: UPDATES GALORE! or, THE PRONOUN “WE” MEANS YOU AND ME! …a Good Risk Assessment Methodology” – written by yours truly and Jack. It’s a very high-level document, and serves two purposes: For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document). …

Build Security In (bsi) is maintained for DHS. It contains documents that are continuously being updated. The “Risk Management” area provides a framework for identifying, tracking, and managing software risks.

Only a Starting Point

Overcoming Bias, a great thought provoking blog, recently posted, “Say It Loud.” The author, Eliezer Yudkowsky, quotes Will Strunk: “If you don’t know how to pronounce a word, say it loud! If you don’t know how to pronounce a word, say it loud!” Eliezer goes on to say, “This comical piece of advice struck me as sound at the time, and I still respect it. Why compound ignorance with inaudibility? Why run and hide?” This corresponds with one of my favorite graphics created by the Creating Passionate Users blog:

Eliezer makes a very valid point. To those who “sounds clueless, but isn’t,” you need to speak up. Otherwise, you are helping the “sounds smart, but isn’t” promote their cluelessness throughout the organization.

With that in mind, let me state this loudly: the above sources will provide a very useful starting point in developing a risk assessment process. NIST SP 800-30 is the best place to start. Also check out NIST SP 800-39. The IT Governance Institute has been talking about the IT Risk Management Framework for awhile now. It should be great when it comes out, but the last I heard there was no release date set. CERT OCTAVE is freely available, so that makes it a good resource. I am less familiar with FAIR, though it looks very interesting. I tend to use COBIT when dealing with business processes as a checklist of controls to have in place. Members of ISACA should look in the journal’s archive area. The last issue was focused on risk and contained a couple of articles that would be helpful. The articles that are open to the public are somewhat dated. The blog sites will be helpful once you start narrowing in and know what you are interested in doing. In the end, this post is meant only as a starting point. It is not a complete list; not even close. While there may be a great deal more work to do, your journey has begun. Good luck.

Technological Upheaval
Ground breaking innovations often causes some form of upheaval. Most folks are familiar with the story of Robin Hood and his band of merry men. Another group living in the Sherwood Forest area, though later around 1811, were the Luddites. These men from the past have a great deal to teach us concerning the ramifications of revolutionary technological change. The Luddites were highly skilled and quite well paid croppers (men who worked cloth). Their job was to cut the cloth after it had been raised with shears. These shears weighed 40 lb and were 4 feet long. Their world was turned upside down by the introduction of the water powered shearing frame. This new technology was simple enough that it could be operated by an unskilled worker, taking under a quarter of the time.

Luddites fought back by breaking into factories at night and destroying the new machines. In a three-week period, for example, over two hundred stocking frames were destroyed. While this may not be as exciting as Robin Hood, just as in that story the heavy hand of the government came down on the Luddites. The Frame Breaking Act made machine-breaking a capital offense. In Yorkshire in 1812, over 12,000 soldiers were brought in to keep order. Roundups of hundreds of men occurred. Some were deported to penal colonies and others were executed. At one point seventeen men were executed. In the end, the Luddites could not stop technology from advancing. By the 1820s the Luddite movement had ceased to be active and few croppers could find work in the woolen industry.

It’s All About Risk
The moral of the story is that technology does not exist in a vacuum. Not if it is useful technology. It ends up being integrated into the environment in which it operates. This integration can be peaceful, or not. Either way, it will occur. Policy based compliance tend to have policies dictating discrete, predefined information security requirements along with associated safeguards and countermeasures. There is minimal flexibility in implementation and little emphasis on explicit acceptance of mission risk. Compare that to risk based protection where the enterprise missions and business function drive security requirements, associated safeguards, and countermeasures. It is highly flexible in implementation and focuses on acknowledgment and acceptance of mission risk.

Today, organizations are taking a serious look at their information technology (IT) groups and questioning the governance models necessary to minimize risks and maximize returns. Taking the definition from the Control Objectives for Information and related Technology (COBIT) executive summary, IT governance is “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

Command and Control
Business managers and stakeholders, in order to trust and rely on IT must have some sense of reliability and control. Add to this business mix the constant pressures to decrease cost, increase reliability, and meet requirements to comply with local and federal regulations. Communication between different groups within an organization is essential, whether that be technical folks, auditors, finance, managers, etc. Innovation cannot exist only in the IT arena. It must translate into overall business process improvements. To help do this, companies are showing greater interest in best practices and in frameworks such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO/IEC ) 17799, and COBIT. Government organization need to follow the DoDI 8500.2 “Information Assurance (IA) Implementation” document or National Institute of Standards and Technology (NIST) SP 800-53A “Recommended Security Controls for Federal Information Systems.”

As organizations attempt to implement these frameworks/recommendations/requirements questions concerning how to bring these standards together arise along with difficulties in helping organizations get from where the company current is to where the company needs to be? Government does not get a free pass. Government agencies are faced with the daunting task of having to work together to combat security risks. That includes federal information systems that support defense, civil, and intelligence agencies along with private sector information systems supporting U.S. industry and businesses and information systems supporting critical infrastructures within the U.S. It would be helpful if we could start talking the same language. Or at least develop a dictionary so we can understand each other. Winston Churchill once said, “Out of intense complexities intense simplicities emerge.” By bringing together the seemingly diverse security best practices and controls from COBIT, ITIL, DoDI 8500.2, and NIST SP 800-53A, we hope intense simplifications emerges.

Battle Plans
First, a little background. The Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and NIST both address the Federal Information Security Management Act (FISMA) of 2002 requirements. FISMA is a United States federal law which recognizes the importance of information security to the economic and national security interest of the United Stats. FISMA tasked NIST with the responsibility of “providing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems.” While DIACAP establishes “the standard DoD process for identifying, implementing and validating information assurance (IA) Controls for authorizing the operation of DoD information systems and for managing the IA posture across DoD information consistent with Title III of the E-Government Act, FISMA, DoDD 8500.a and DoDI 8500.2.” A major part of the DIACAP process is testing to make sure compliance with regulations occurs. The testing is based on security controls set out in DoDI 8500.2. The NIST SP 800-53A also “provides guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government.” As you can see, NIST 800-53A and DoDI 8500.2 are fairly similar in definitions and methodologies.

COBIT’s original purpose was to link IT process and controls to business requirements. Management guidelines were later added, providing management tools such as metrics and maturity models. ITIL is effective IT service management focused. It consists of 10 processes, which break down into service support (operational) and service deliver (tactical) processes. ISO/IEC 17799 focuses on security and attempts to aid an organization in the creation of an effective IT security plan.

Strengths and Weaknesses
The Information Systems Audit and Control Association (ISACA) has put a great deal of effort in mapping COBIT to other standards. In part, this is because of COBIT’s focus is on business requirements. COBIT can be used as the framework and governance model under which other best practices integrate. Take a look at these mapping guides:

• COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1
• COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0
• COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.0
• COBIT Mapping: Mapping of ITIL With COBIT 4.0
• COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0
• COBIT Mapping: Mapping of ISO/IEC 17799: 2005 With COBIT 4.0
• COBIT Mapping: Mapping PMBOK to COBIT 4.0
• COBIT Mapping: Mapping SEI’s CMM for Software to COBIT 4.0
• COBIT Mapping to ISO/IEC 17799:2000 With COBIT, 2nd Edition
• COBIT Mapping Overview of International IT Guidance, 2nd Edition
• Aligning COBIT, ITIL and ISO/IEC 17799 for Business Benefit

Coming Together
To keeps things somewhat simpler, let us only focus on the mappings that exist for ITIL with COBIT and NIST SP800-53 with COBIT. Through this approach, we will develop a path from DoDI 8500.2 to ITIL. The mapping should be helpful not only in understanding but also in organization. Keep in mind, DoDI 8500.2 is the catalog of controls and can be matched against NIST SP 800-53A. Appendix G of NIST SP 800-53A does match up ISO/IEC 17799 and DoDI 8500.2.

When we combines these mappings, we do begin to see both the strengths of certain standards. We also gain depth of coverage. Take a look at the following mapping for configure and implement acquired application software to meet business objectives.

The complete mapping can be found from this link. This is a work in progress and is meant only as a first attempt to produce something that might clarify and help.

Building Trust
Dr. Ron Ross, project leader for the FISMA Implementation Project, has been doing some talks on transforming the certification and accreditation process through a unified risk management framework. He also wants us to be able trust each other. One of his recent presentation from November 14, 2007 to the ACT/IAC Information Security and Privacy Shared Interest Group titled “Building Trust Relationships Among Organizations” makes some very important points. In the presentation Ross states that there is an information security paradigmatic shift occurring from a policy based compliance model to a risk-based protection model. This is of key importance because the responsibility of security to provide information will depend on a trust relationship established among partners. This is applicable to both the government and industry. Trust can occur only when an organization understands the security state of their partners. Government and industry must be able to trust and understand each other’s security state.

Michael Smith, manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, makes the following important point about the unified catalog of controls in his post, “One Catalog to Rule Them All“:

What a unified catalog of controls means is that we now have something that is standardized across the board so that I can take an IA practitioner from the DoD side, put them into a civilian agency, and have a reasonable expectation that they will succeed there. In other words, I’ve decreased the switch costs for personnel transfers. I’ve also made it easier for agencies to share data with each other (conspiracy buffs here can think things about Census data feeding the Total Information Awareness program and corroborated against your classified file) and to support each other as vendors under Lines of Business, which the government needs desperately.

Eustace D. King has an article in the July issue of CrossTalk titled “Transforming IA Certification and Accreditation Across the National Security Community.” In the article King discusses the DoD and DNI CIOs seven goals for transforming C&A processes across the DoD and the IC. These goals can be found off the director if National Intelligence CIO’s “Re-Vitalizing Certification & Accreditation Initiative” page and include (quoting from King’s article):

1. Define a common set of impact levels and adopt and apply them across the DoD and IC.
2. Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing.
3. Define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.
4. Adopt a common lexicon, using CNSSI 4009 as a baseline, thereby providing both the DoD and IC a common language and common understanding.
5. Institute a senior risk executive function, which bases decisions on an enterprise view of risk considering all factors, including mission, IT, budget, and security.
6. Incorporate IA into enterprise architectures and deliver IA as common enterprise services across the DoD and IC.
7. Enable a common adaptable process that incorporates security within the lifecycle processes and eliminates security-specific processes.

I do like the idea of “define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.”

At the last month’s Infosecurity Canada Conference & Exhibition, Al Purdy, now principal of DRA Enterprises Inc. addressed the importance of a establishing an risk management framework. “The most likely way to address some of the risks is a public-private sector collaboration based on an established risk management framework“, Purdy said. Purdy points out that the IT Governance Institute (ITGI), developers of COBIT is reported working on a risk management framework for release later this year. Herr Urs Fischer, who is leading a steering committee that is developing the framework, admits, “While COBIT does contain some discussion of risk management, ITGI realized that it needed to provide more depth and guidance as technology professionals struggle with issues around compliance with regulations such as Basel II.” Fisher goes on to say, “It’s more of an add-on (to COBIT) than a new one.” Fisher explains, “It’s not a checklist. It’s more about the way you should do risk management.”

Parting Words
I started this post wondering if a shift is beginning towards the risk-based protection model. We see elements in play. There is a definite need for establishment of a common language between all our standards, best practices, and requirements. Recent research published in the IT Governance Global Status Report 2008 found a six percent increase from 2005 in the importance of IT to business strategy. IT is increasingly playing a more vital role in business and government. Help is needed that will allow different groups within an organization to understand IT. This need to communicate goes beyond the boundary of an organization. Governments and industry need to properly be able to evaluate the risk of working with their partners and they can only do this if they can evaluate their partner’s security readiness. Partnerships do not end within one’s own country. It is not surprising to see the push for a common risk management framework.

Jacob August Riis, an Danish-born American journalist and slum reformer who created new standards in civic responsibility regarding the poor and homeless in his reporting of New York City slum conditions, once wrote, “When nothing seems to help, I go and look at a stonecutter hammering away at his rock perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that blow that did it, but all that had gone before.” Sometimes the hands of change seem to move at glacial speeds, but change will come. When all the elements are in place, change can come like a flash flood. The best we can do is be patient and then make sure we are not caught like the Luddites, on the wrong side of technological advancements.

Special Thanks
I wanted to add a note of special thanks to Michael Smith over at the Guerilla CISO. Michael is quoted above. I have been a long time reader of Michael’s blog and when I came across questions concerning DIACAP, I dropped him an email. He was most helpful and informative with his responses, shared with me some pdfs, and pointed me to some great sites. If you want to know more about Michael, Martin McKeay did an interview with him a few months back. Of course, any mistakes in this post are my own, and the correct information is due to the help that Michael provided.

Way back, before blogs existed, when there was only the cartoon version of The Hobbit, J. R. R. Tolkien was teaching children of my generation how to write good security plans. Many resources are available, to the point where it can be a bit overwhelming. What gets included in a security plan will depend on your organization. Fortunately, most organizations provide guidelines. Security policies will differ depending on the business of the organization. Different laws will be applicable depending on many considerations, such as does the organization having to do with government, medical, business, the European Union, Germany, etc.

There is no “one plan fits all.” Just as in life, everything depends. Having provided myself that disclaimer, I wanted to provide a few sites/documents that I find useful.

COBIT Security Baseline

This is a document put out by the Information Systems Audit and Control Association (ISACA). There will be a revised version coming out in July which will update the baseline to COBIT 4.1. The structure will otherwise remain the same. Here is a basic description:

COBIT Security Baseline is based on Control Objectives for Information and related Technology (COBIT), issued by the IT Governance Institute and now in its third edition. COBIT is a comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework. COBIT covers security in addition to other risks that can occur with the use of IT. This publication helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework. It then presents key control objectives and suggested minimum control steps for each, cross-referenced to the COBIT processes and detailed COBIT control objectives. A mapping to related control objectives in ISO 17799 is included as well.

Normally, I deal with open source software and documents. In this case, registration is required. Anyone can buy the book, but if you become a member you can get access to this and many other books for free.

NIST SP Guides

NIST documents reference each other. A good overview of how everything fits together is found in the Guide to NIST Information Documents. In relation to security policies, the following documents are particularly helpful:

• 800-100: Information Security Handbook: A Guide for Managers. To quote the document, “This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.” This document helps define what elements should be part of the security program.
• 800-53A: Recommended Security Controls for Federal Information Systems. To quote the document, “The purpose of this publication is to provide guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government.” This documents helps evaluate the controls that are in place.
• 800-12: An Introduction to Computer Security: The NIST Handbook. This document is a little older. To quote the document, it “provides assistance in securing computer-based resources (including hardware,
  software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.” This document is good to review in order to make sure everyone is on the same page in terms of concepts and terminology.
• 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems. This document is more of a reference document. Like NIST SP 800-12, it is a foundation document meant to make sure concepts and elements of security are understood.

Other NIST documents will be applicable depending on what technologies are used within your organization.

The SANS Security Policy Project

This SANS security project site contains alot of information, including primers and templates, to help one with security policies. To quote SANS, “The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies.”

The Information Security Forum’s (ISF’s) Standard of Good Practice

You do have to register, but it is free. ISF describes the document as addressing “information security from a business perspective, providing a practical basis for assessing an organization’s information security arrangements. It focuses on the arrangements that should be made by leading organizations to keep the business risks associated with critical information systems under control in today’s dynamic and competitive environment.”

Open Compliance & Ethics Group (OCEG)

OCEG is a great organization, focusing on “integrating governance, risk management, compliance and culture.” They have collaborated with Compliance Week to produce the GRC Illustrated Series. OCEG produces the Foundation “Red book”. To quote OCEG, it “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.”

Federal Agency Security Practices (FASP) Site

The FASP site contains agency policies, procedures and practices; the CIO pilot Best Security Practices (BSPs); and, a Frequently-Asked-Questions (FAQ) section. Below are two documents specifically of interest:

• Sample Security Policies and Procedure document
• Sample Information Systems Security Program (ISSP) Handbook

State of Texas Department of Information Resources

This site provides policies, standards and guidelines along with examples of policies, standards, and guidelines. Of particular interest is the security policy template overview.

The Open Web Application Security Project (OWASP)

OWAPS can provide information on application security. They have been developing a guide, whose latest version unfortunately is not available to the public. You can still view version 3’s table of content. The public can pull down version 2.0.1 of the guide.

Institute for Security and Open Methodologies (ISECOM)

ISECOM is an open,collaborative, security research community that produces the Open Source Security Testing Methodology Manual (OSSTMM). The document is a peer-reviewed methodology for performing security tests and metrics. ISECOM is about to come out with version 3 of OSSTMM. Currently, version 3 is only available to gold or silver membership. Version 2 is available to the public.

The Security Portal for Information System Security Professionals

This site contains a large number of links on all topics on information security. Good for filling in areas.

Samples

There are plenty of samples, but these two looked interesting.

1. Business and Financial Bulletin IS-3: Electronic Information Security
2. The University of Auckland, New Zealand

Final Remarks

Lacking information on how to do things is not the problem. It is how to organize it. I tend to favor NIST publications because there is plenty of supporting NIST document being actively developed. When you come down to it, the most important thing is to follow any guidelines or directives your organization may have. Your security policies will be reviewed by auditors. Understand what the auditors will be expecting so you can provide the information in a clear and concise manner. Finally, make sure your policies deal with the dragons in your kingdom. Wise words from a wise man.

I wanted to post a few more references. Hopefully, I will even find time to read these documents. I have referenced many times in this blog various NIST SP documents. On Friday, they published a guide to NIST information security documents. They describe the document as follows:

In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting the Guide to NIST Computer Security Documents (.pdf). In addition to being listed by type and number, the Guide presents three ways to search for documents: by Topic Cluster, by Family, and by Legal Requirement. This Guide is current through the end of FY 2006.

Information Systems Audit and Control Association (ISACA) has released to its members several documents. For the general public, these documents will be released in May. These document include:

• COBIT 4.1 — To get a quick overview of how COBIT 4.1 differs from 4.0, please see the page titled, “How COBIT 4.1 Changed From 4.0.”
• IT Governance Implementation Guide: Using COBIT and VAL IT, 2nd Edition — I really have not done much with VAL IT. For now, it will be interesting to have as a reference.
• COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition — The guide covers, “control practices provide control approaches consisting of practices that are necessary and sufficient for achieving COBIT control objectives.”
• IT Assurance Guide: Using COBIT — This guide, “provides detailed guidance on how COBIT can be used to support a variety of assurance activities, such as planning, scoping and assessing risks and how an assurance review can be performed for each of the 34 COBIT processes.”
• COBIT Security Baseline, 2nd Edition — This is the guide that I was most interest in. Unfortunately, it will not be available until May 14th. The guide, “helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework.”

This week I paid membership dues to get access to areas on the Open Compliance & Ethics Group (OCEG) site. OCEG has been working with Compliance Week on the Governance, Risk and Compliance (GRC) Illustrated series. OCEG also produces the Foundation “Red Book” which “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.” M. E. Kabay from Network World did a nice writeup on the Red Book’s approach to risk management in his article, “OCEG Red Book on risk management.” A final document from OCEG that I want to review is the “Benchmarking Survey Comprehensive Summary Report.”

Finally, in my last post title, “Forensic Resources,” I listed a few other things I will be investigating in the computer forensic arena. Of course, I will also preparing and taking my SANS Security 508 course, System Forensics, Investigation & Response GIAC Certified Forensics Analyst (GCFA) certification exam.

Many times, I feel like the Lloyd Bridges from the movie Airplane. “Looks like I picked the wrong week to quit smoking.” While I might not smoke, nor any of the other things Lloyd’s character choose the wrong week to give up, I did decide to give up hard core caffeine. I went from Pepsi Mountain Dew Code Red to basic green tea. According to Wikipedia’s Caffeine entry, green tea has about half the caffeine of Code Red. That scales me back far enough that I no longer have caffeine headache withdrawals. Maybe one day I will figure out how to get all my work done while getting relatively normal amounts of sleep. One can always dream. Such is the life of a security monk.

I am going to be hitting the road at the end of this week. That means, catching up on podcasts while I drive, and doing some reading while in the hotel room. I pulled a few topics of interest and printed them out. In case they might interest others, I have included the links below. I am going to be attending the Cybersecurity Summit 2007 for NSF Large Research Facilities. You probably did not think the monastery would qualify as a large NSF research facilities. Well, it doesn’t. But we do advise those troubled souls in the matter of security enlightenment. Now I have not attended one of these summits before, so it should be interesting. If you happen to be attending, look for me. I’ll be one with the big notebook of reading material.

Defense in Depth

• A Layered Approach to Security
• Defense in Depth: Foundations for Secure and Resilient IT Enterprises

Security Baseline

• COBIT Security Baseline

Information Security Governance

• Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition
• Why Information Security Governance Is Critical to Wider Corporate
• Information Security Governance: Motivations, Benefits and Outcome

Information Security Hormonization

• Information Security Harmonisation

SOA Security

• Understanding SOA Security Design and Implementation
• SOA: Redrawing the Business Processes
• SOA Security in Action
• Interview with Gary McGraw, CTO of Cigital, Inc.
• Managing Enterprise Risks: Security Considerations in the Deployment of SOA
• SOA raises security worries
• SOA Security Overview
• SOA Security, Identity 2.0 and Convergence
• SOA Security and Enterprise Reuse
• SaaS and SOA: Together Forever
• Security Concepts, Challenges, and Design Considerations for Web Services Integration
• SOA Meta Model
• Another SOA Meta Model

From the National Institute of Standards and Technology:

• Guide to Integrating Forensic Techniques into Incident Response
• Guide to Secure Web Services (DRAFT)
• Guide to Intrusion Detection and Prevention (IDP) Systems (DRAFT)
• Guide for Developing Performance Metrics for Information Security
• Recommended Security Controls for Federal Information Systems

From ISACA:

• COBIT Mapping: Mapping of ITIL with COBIT 4.0
• COBIT Mapping: Mapping of PRINCE2 with COBIT 4.0
• COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0
• IT Control Objectives for Sarbanes-Oxley

Concerning Securing Mac OS X:

• A Corsaire White Paper: Securing Mac OS X
• Mac OS X Server Security Configuration for Version 10.4 or Later
• CIS Mac OS X Tiger Level I Security Benchmark
• NSA Apple Mac OS X v10.3.x “Panther” Security Configuration Guide
• SANS SCORE: Mac OS X Checklist 1.0
• SANS CIS Benchmark Tool
• Bastille Linux Mac OS X Beta
• DISA Mac OS X Security Technical Implementation Guide

Concerning Web Application Security:

• OWASP Testing Guide 2007 V2
• A Guide to Building Secure Web Applications and Web Services
  

Just for Fun:

• The Pragmatic CSO
• Optaros: Open Source Catalogue 2007 U.S. Version 1.1

It sure would be nice to retreat to a monastery and spend a few days just reading this material. A quote from Doug Larson sums it up nicely, “For disappearing acts, it’s hard to beat what happens to the eight hours supposedly left after eight of sleep and eight of work.”