The ETSec Security Lifecycle Methodology
A Corporate Information Security Program has become a generic term with different meanings for diverse audiences.
ETsec takes a standards-based approach to help define information security policy as a specific, measurable and data-driven framework encompassing multiple user and management needs across an organization. By applying this framework, organizations encourage broad-based support for an information security solution. The end result is an efficient and effective ongoing security management system, including both managed in-sourcing and out-sourcing security operations.
Standards-based Security Program
Security is a business fundamental in the physical world. No organization would even consider opening operations without securing all facilities against theft, fire and vandalism. Nevertheless, companies engaging in E-commerce routinely shortchange their protection of key online assets and systems. A single security breach in the online world can be far more damaging than it would be in the physical world in terms of strategic information lost, bad publicity, loss of customer and partner confidence, and stakeholder liability. Once this realization hits home, information security quickly becomes a key priority for e-business.
Trust, therefore, has become the fundamental issue for organizations using information technology to grow through acquisition, move aggressively into new online business ventures or streamline existing business operations. Can IT and senior management trust that information is being properly used and safeguarded by employees? Can customers trust vendors to protect their privacy? Can organizations trust vendors and partners to properly secure their interconnected online assets? What is the financial impact when a specific segment of the network security infrastructure is compromised or fails? Without this confidence, it becomes very difficult to successfully deploy your business solutions in an electronic commerce or other online necessities for competing in today’s wired marketplace.
The key to creating useful, transparent and enforceable network security comes from adopting a process that provides broad-based needs input, careful identification of network resource and access requirements, and data-driven implementation and management services. This process results in a proper security policy that significantly improves information availability, integrity and privacy. Just as importantly, a properly executed information security program encourages buy-in across the organization. By building education and participation into the security management lifecycle, organizations encourage voluntary compliance and greatly enhance the possibility of a successful implementation.
This fundamental security management life cycle contains five interrelated processes – assess, design, deploy, manage/support and educate. These five elements work as a closed loop system, allowing the security cycle to grow and respond to changing network needs and conditions. Each element is defined below.
Assess – An ISO based, systematic baseline identification of all network devices and resources, and the establishment of valuations for all groups of data residing on the network. Assessment converts general descriptions of the network into measurable data sets that can then be used to design an effective security management policy and infrastructure.
Design – Conversion of assessment data into lists of network security applications, deployment locations, implementation strategies and specific configuration guidelines for each network device or security application. At the completion of this stage, the security policy exists as a completed document, accompanied by a deployment plan for all necessary technologies.
Deploy – The physical process of implementing the plans created in the design phase. This would Include installation, testing, training and conversion to a production environment.
Manage and Support – Measuring performance data from the network security infrastructure against the goals stated in the security policy. Non-compliant systems and events trigger specific actions, as stated in the policy, including a re-evaluation of the policy and restart of the policy generation process. This stage can manifest itself as either in-house operation or, more commonly, as outsourced managed security services, and should include a detailed incident response plan.
Educate – An ongoing effort to raise awareness of the need for network security at the executive, management, administrator and end user levels. This process cuts across all other steps, and includes both administrator training for emerging threats to systems and awareness among end users of the benefits of working within the security architecture.
The second aspect to ETSec’s Security Lifecycle Methodology is based on the level of regulatory compliancy within the Sarbanes and Oxley Act guidelines for Committee of Sponsoring Organizations (COSO), Control Objectives for Information and related Technology (COBIT), Payment Card Industry Act (PCI) as well as IT best practices as outlined in the International Organization for Standards (ISO).
COSO – Security Framework
The COSO framework provides a structured and comprehensive set of guidelines for creating and implementing internal controls. The use of the COSO framework is not required for SOX compliance, but it is safe to assume that any other framework selected will be similar in scope. An important factor in the selection of COSO was the wide acceptance of most the big financial auditing firm. COSO provides general guidance regarding information security controls, addressing higher level topics such as control environment, risk assessment, control activities, information and communication and monitoring. COSO, however, still does not provide the specific information that an information security professional would need. Another, more specific, guideline is needed for actual security operations control.
COBIT – Security Methodology
The other piece of the puzzle is Control Objectives for Information and related Technology (COBIT). The COBIT methodology was created by the Information Systems Audit and Control Association (ISACA) to provide specific guidance for creating and assessing IT controls. COBIT is best described with its mission statement:
The COBIT Mission: To research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals. COBIT addresses 34 IT processes, ranging from strategic planning to implementation, production support and monitoring. The processes are grouped into 4 domains:
- Planning and Organization
- Acquisition and Implementation
- Delivery and Support
- Monitoring
Within each of these domains are detailed guidelines for the assessment of every major IT process. By mapping these processes to the more general COSO framework, a roadmap for not only SOX compliance but a minimum level of expectation for corporate IT security policies can be created.
ITGI
The Information Technology Governance Institute (ITGI) is a group created to assist corporations with governing their IT and ensuring IT efficiently supports business mission and goals. ITGI has used COSO and COBIT to create a set of specific IT control objectives for SOX. These control objectives are designed to assist personnel responsible for control assessment. They provide specific guidance in identifying and assessing IT controls. While the COBIT control methodology encompasses all IT processes, the focus of this discussion is security.
General guidelines on COBIT information security topics within the ITGI general control objectives, the topic of security can be further broken down into specific sub-topics:
Security Policy
Comprehensive security policies form the foundation of information security and should drive standards and processes to ensure IT systems are secure
Security Standards
The existence of appropriate security standards should be considered necessary for a well maintained IT infrastructure. According to the SANS institute: “A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone“. In addition to the standards, policy driven processes should exist for review and maintenance of the standards as well as methods for communicating standards to appropriate personnel.
Access and Authentication
A fundamental control for any IT infrastructure system is ensuring that only people who are authorized to use the system can access it
User Account Management
User account management generally encompasses the processes used for creating, changing, and deleting user accounts
Network Security
Since most IT systems are connected to a network and probably have some form of access to the internet, it is important that the network infrastructure have appropriate security. Perimeter security should be controlled with firewalls and monitored with intrusion detection systems. In large and geographically diverse networks, using firewalls to segment financial systems from other internal systems may be appropriate. Other network security controls include:
- Encryption Standards
- Wireless Security Standards
- Desktop Security Controls
- Network Proactive Controls
Finally, an independent assessment of network security may also be appropriate to test the security controls. This may include ethical hacking, or penetration testing from a third party service
Monitoring
Monitoring of logs and security events is related to many areas of information security. Invalid login attempts, port scans, and requests for inappropriate access are all examples of security events that should be monitored
Segregation of Duties
Where appropriate, the capabilities required to initiate, carry out, and review transactions should be segregated so that no one person has control over the process from start to finish. A definition for Segregation of Duties is provided by The Information Security Glossary: “A method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud“.
Physical Security
Physical access to IT infrastructure systems supporting critical IT components reporting should be restricted
By combining the framework and methodologies as outline above, we now have a basis for the development of a corporate security program for any environment. If you'd like to learn more about how we can leverage our methodology to create the ideal security solution for your enterprise, please contact us today.