Valiente Balancing It SecurityCompliance, Complexity & Cost
1. ISSA The Global Voice of Information Security ISSA Journal | July 2009
Balancing IT Security Compliance,
Complexity, and Cost
By Carlos Valiente, Jr. – ISSA member, Tampa Bay, USA Chapter
The author discusses implementing the International Organization for Standardization ISO
27001, the international practice for information security management.
O
rganizations today risk customer trust, their reputa- each compliance effort is approached individually. However,
tions, and ultimately shareholder value when they many of the controls that need to be defined, assessed, and
do not address or prevent information security enforced are common across regulations. A silo-based ap-
breaches. Many are required by law to comply with a grow- proach leads to a lot of redundant compliance efforts that
ing number of government and industry-specific controls de- significantly increase the cost. In addition, companies have
signed to safeguard the confidentiality, integrity, and avail- realized that as the number and scope of requirements grow,
ability of IT systems from information security breaches. sheer complexity of assessing multi-regulatory compliance
One strategy to consider is implementing the International with a large number of overlapping controls becomes a chal-
Organization for Standardization1 ISO 27001, the interna- lenge. All these factors combined calls for a smarter approach
tional practice for information security management. to addressing information security. Below is a partial list of
Companies struggle to protect intellectual property and oth- the most common compliance standards:
er sensitive information as they often lack the visibility need- California SB 1386 – known as the Security Breach Infor-
ed to define effective access policies that help mitigate risk. IT mation Act, this state law governs organizations that serve
departments bear one of the heaviest burdens in compiling customers residing in California and store confidential data
the data required by auditors, as their responsibilities include about those customers on computers, or transmit such data
the documentation of procedures for security policy, com- over networks. The law requires proactive protection of pri-
pliance controls, and risk management processes. For many vate data for Californians.
organizations, this is a key point of failure both before and EU Privacy Directives – Directive 95/46/EC of the European
during an audit, which inevitably leads to increasing the cost Parliament and of the Council of 24 October 1995, on the
of audit-related fees. protection of individuals with regard to the processing of
The reality, however, is that security breaches will continue personal data and on the free movement of such data.
to occur2 and the problem is not getting any easier to solve. GLBA – The Gramm-Leach-Bliley Act of 1999 requires fi-
The exponential growth of information breaches, the level of nancial institutions to create, document, and continuously
complexity of the infrastructure – network, virtual operating audit security procedures to protect the nonpublic personal
systems, and applications – continues to grow at a fast pace. information of their clients, including precautions to prevent
It is easy to get caught up in reacting to the current symp- unauthorized electronic access.
tom or problem that is causing immediate pain, rather than
proactively tracing the issue back to its root cause to find a FISMA – Requires that federal agencies establish risk-based
long-term fix that will take the organization to a higher level information security programs to secure federal information.
of overall performance. HIPAA – The Health Information Portability and Account-
ability Act was one of the first mandates requiring organiza-
Regulatory standards tions to implement IT security controls to protect the privacy
Many organizations take a silo-based approach to complying of protected health information that they handle and store.
with regulatory standards (e.g., PCI, GLBA, SOX, etc.), where PCI DSS – The PCI Data Security Standard was developed by
the major credit card companies as a guideline to help orga-
1 www.iso.org. nizations that process card payments to prevent credit card
2 www.datalossdb.org. fraud, hacking, and various other security issues.
22
2. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009
SOX – The Sarbanes-Oxley Act of 2002 requires Regulatory Security &
the company’s auditor to attest to and report on Legislative PLAN Compliance
management’s assessment of the effectiveness of Contractual Management
the company’s internal controls and procedures
Establish the
Framework Program
for financial reporting.
Continual Improvement
PIPEDA – The Personal Information Protec- Implement and Approach to Maintain and Improve
tion and Electronic Documents Act is a Cana- Operate the Framework Information Security Management the Framework
dian law relating to data privacy. It governs how
private-sector organizations collect, use, and DO Monitor and Review ACT
disclose personal information in the course of the Framework
commercial business.
The key benefit of ISO 27001 is that it provides a single, stra-
CHECK Figure 2
tegic, and comprehensive framework to information security, tives. Once implemented, organizations that have a need to
and implementing these broad-based controls covers a wide advertise that they are 27001-compliant can be certified by a
area set of control objectives required in SB-1386, HIPAA, number of accredited third-party audit registrars worldwide.
PCI, GLBA, SOX and EU Directive 95 (see Figure 1). You can This is very similar to a manufacturing organization achiev-
significantly reduce the number of controls and implemen- ing ISO 9001 certification or a service organization achiev-
tation costs by achieving a transparent optimized security ing a SAS 70 for effectiveness of controls. Following is a brief
baseline across the organization. summary of ISO 27002’s eleven main sections or domains.
Regulatory & Corporate Objectives
Security policy
EU Privacy It prescribes a written, high-level policy document that
Directives • Security Policy should be approved by management and published and com-
• Human Resources municated to all employees responsible for information se-
HIPAA • Access Controls curity in a manner that is understandable to the intended
• Business Continuity recipient. The primary objective of a policy statement is to
PCI
ISO • Physical Security
• Incident Management
outline the aims of the organization as endorsed by the ex-
ecutive management team. The document should be written
SOX
27001 • Operations Management
clearly so that it can be interpreted at all levels of the organi-
zation and applied to the standards operations procedures.
GLBA • Compliance The supporting standards and procedures, which are then
• Asset Management derived from the overall policy statement, will control the
SB-1386 • Infosec Organization day-by-day operations, which occur at the various functional
• Infosys Dev. & Maint. levels within the organization.
Others
Organization of information security
Figure 1
This is primarily about people rather than technology, and
how they are organized to manage the information security
The ISO standards framework function. It outlines how management is organized and es-
The framework takes a very broad approach to information tablished to initiate and control the implementation of infor-
security. The term information addresses all forms of data, mation security within the organization. In large or global
documents, communications, conversations, messages, re- organizations, it is sometimes necessary to co-ordinate in-
cordings, and photographs. It includes everything from digi- formation security measures by establishing distribution
tal data, email, faxes to telephone conversations. The stan- services channels. It is important that organizations support
dard effectively comes in two parts: the delegation of security responsibility to areas where those
• ISO/IEC 27001:2005 is a standard specification for an responsibilities can be properly discharged.
information security management system (ISMS).
Asset management
• ISO/IEC 27002:2005 is a standard code of practice
and can be regarded as a comprehensive catalogue of All major information assets should be accounted for and
individual control objectives. have an owner designated by name or title and responsible
and accountable for his or her assigned assets. This will in-
When you implement 27001 you are building an informa- clude access rights to, and classification of, those assets. The
tion security management system using a continual improve- owner of the assets determines documents and promulgates
ment approach (see Figure 2); 27002 is intended to be used the rules for the use of those assets for their whole life cycle.
in conjunction and prescribes the individual control objec- This includes creation or purchase to disposal. Finally, to en-
23
3. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009
sure that information assets receive an appropriate level of sions are what requires protection and who has the keys. These
protection, classification levels should be used to indicate the are strictly business decisions that should not depend on the
need and priorities for security protection. Classifications technology at all. This domain covers areas such as user ac-
should show the value, sensitivity, and criticality of each in- cess management, responsibilities, network access controls,
formation asset. operating systems, application access controls, and mobile
computing.
Human resources
It ensures that employees, contractors, and third-party users Information systems acquisition
understand their responsibilities and are suitable for the roles Access to information and business processes should be con-
they are considered for, and aims to reduce the risk of theft, trolled on the basis of business and security requirements.
fraud, or misuse of facilities. Information security should be All security requirements should be identified and agreed to
addressed at the recruitment stage, included in the job de- prior to the development or acquisition of information sys-
scriptions and contracts, and monitored during an individu- tems. It is also essential that any commercial software (e.g.,
al’s employment. It should also form part of the exit process off-the-shelf software, software as a service (SaaS), or cloud
to ensure that organizational assets are returned prior to ces- computing) options have suitable controls built in, and the
sation of employment or contract. All users of information inclusion of such controls is considered a part of the acqui-
systems should be given adequate security education and sition process. These controls include, for example, crypto-
technical training. graphic controls, access to system files, change control proce-
dures, disaster recovery, and vulnerability analysis.
Physical and environmental security
Information processing facilities supporting critical or sen- Information security incident management
sitive business activities should be housed in secure areas. This domain ensures information security events and weak-
This includes protection of equipment and information from nesses associated with information systems are communi-
physical harm, as well as physical control of access to infor- cated in a manner that allows timely corrective action to be
mation and equipment. It also contains two of the most sig- taken. An effective and efficient incident management system
nificant control features of the standard: the education and for information security incidents must be implemented with
training of staff and setting contractually the expected be- appropriate escalation processes. When breaches of security
havior of anyone with access to organizational resources. do occur, for whatever reason, it is important to contain the
result by reporting the incident and responding to it as quick-
Communications and operations management ly as possible. For example: To whom should an incident be
This broad domain section aims to ensure correct and secure reported? What information will that person need to know?
operation of information processing facilities and that re- What precautions should be taken to limit the organization’s
sponsibilities and procedures are established for the manage- exposure to the security breach?
ment of all computers, networks, and information processing
facilities. For example, all changes to operational informa- Business continuity management
tion processing facilities and systems should be controlled. This counteracts interruptions to business activities and to
The operating procedures identified by the information se- protect critical business processes from the effects of ma-
curity policy relating to all information processing should be jor failures of information systems or disasters and ensures
documented and maintained under formal change control. their timely resumption. A business continuity management
Segregation of duties should be considered to minimize the process should be implemented to reduce the disruption
risk of negligent or deliberate system misuse. Development caused by disasters and security failures to an acceptable level
and testing facilities should be isolated from operational or through a combination of preventative and recovery controls.
production systems. Rules for the promotion of software to For example, how IT intends to deliver corporate informa-
operational status should be defined and documented. In ad- tion when the power goes off, a fire occurs, or when the com-
dition, this domain addresses third-party service delivery, puters simply break down.
system planning and acceptance, protection against mali-
cious code or antivirus, backup and recovery procedures, Compliance
media handling, and the exchange of information. To avoid breaches of any law, statute, regulation, or contrac-
tual obligation and of any security requirements. The design,
Access control operation, use, and management of information systems may
This section is all about the control or access to information be subject to statutory, regulatory, and contractual security
and systems on the basis of business and security needs. Sys- requirements. This domain also addresses compliance to an
tem access can be controlled in a number of ways using hard- organization’s own security policies and standards. Most im-
ware and/or software. The real question is not how control is portant is that there should be controls to safeguard opera-
achieved but who is allowed access and to what. System access tional systems and audit tools during system audits.
is like every other system of locks and keys; the basic deci-
24
4. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009
Implementation steps Implementation benefits
There are different methods of implementing ISO27001 and Some of the benefits to implementing 27001 over point solu-
the exact process may vary or need tailoring for each organi- tions include the following:
zation. Here are basic key steps to consider: • Provides an internationally recognized information
1. Define the scope of implementation security strategy, structure, and methodology
2. Develop the information security policy and obtain • Allows an organization to demonstrate credibility,
management approval trust, confidence, and due-diligence to clients and
3. Identify your information assets and owners business partners
4. Classify your information assets • Establishes that relevant laws and regulations are be-
5. Define the risk assessment process methodology and ing met
identify the risks • Increases awareness of information protection within
6. Map the ISO 27001 controls applicable to mitigating the the organization
risks identified in step 5 • Documents processes, policies, and procedures and
7. Document the statement of applicability to identify the provides for a structured, reusable approach
controls chosen for your environment, explaining how • Becomes part of the formal business process to im-
and why they are appropriate prove security and reduce risk
8. Define the organization’s policies, standards, and proce- • Provides a holistic approach to monitoring and con-
dures trolling the IT environment across the enterprise
9. Communicate the policies and procedures to entire or- • Ensures that a commitment to information security
ganization exists at all levels of the organization
10. Implement the identified controls and document them • Leads to substantial cost savings of implementing in-
11. Implement a security awareness training program for the formation security and compliance efforts
entire organization
12. Perform and implement a scheduled internal compliance
Conclusion
audit program Are you “doing things right” rather than “doing the right
13. Engage a third-party auditor to provide assurance things”?4 The first is tactical and the second is strategic think-
14. Proactively close any gaps identified during audit ing. Both are clearly needed to run a successful organization,
15. Maintain matrices of the security practice and ensure but it is important to make sure you are steering your ship
continuous improvement where you want it to go rather than clinging desperately to
16. Certify your organization the anchor chain as it drags you through the water.
When it comes to protecting information, this framework, if
implemented correctly, can increase your resource efficiency
Spain ISO 27001 while helping manage risk, reducing the number of controls
Italy
Hungary Certificates Worldwide and ultimately your overall spending. By eliminating a silo-
based approach to compliance, and leveraging commonality
Czeck Republic
of controls across various regulations and mandates, com-
USA
plexity decreases significantly and compliance becomes more
Germany sustainable and cost-efficient. Implementing a single stra-
China tegic solution will help an organization manage complexity
Taiwan and total cost of ownership of information security, risk, and
UK compliance.
India
0 100 200 300 400 500
About the Author
Carlos Valiente Jr., CISSP, CISA, CISM,
Figure 3
CGEIT, LA-27001, is a results-driven in-
Industry certification trends formation security specialist and compli-
According to the international certification register, which ance audit professional with 21+ years
maintains a list of the ISMS certificates awarded to organiza- experience leading and managing global
tions worldwide,3 only 86 certifications have been granted in IT, information security, compliance, and
the U.S., while countries like India, UK, China, Taiwan, and risk management programs in Big 4 and
Germany are leading the U.S. in adopting 27001 ISMS (see Fortune 500 companies. For more information, comments, or
Figure 3). Japan accounts for 3000 of the 5000 plus certifica- questions email vtechno@gmail.com.
tions issued worldwide.
3 www.iso27001certificates.com. 4 A quote from business thinker Peter F. Drucker.
25