1.2 IAP Management
“Applying similar management practices to [i]nformation security management is unavoidable as the security environment keeps on increasing in complexity and insecurity.” – Security Governance.net
Typically, the primary purposes for information systems are reliable, effective data collection, processing, and dissemination. Information systems should incorporate procedures specifically designed to achieve management’s objectives through adequate control measures. An entity’s management therefore should consider IAP a required service ensuring relevant information criteria delivery and support. As suggested by the COBIT framework, an entity’s information delivery and support should integrate effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability criteria.
Compliance demonstrates acceptance of expected behavior. Legal compliance is an essential management fiduciary responsibility; however it is not enough to ensure an adequate control environment. Derivatively, an entity’s established information control environment must achieve dynamic homeostasis or risk managerial chaos. Therefore, ISG should be installed to convey managements’ control environment attitude, awareness, and actions. In particular, ISG management should ensure an adequate IAP program is deployed. For example, regarding potential repercussions, management’s failure to commit sufficient resources addressing IT security risks may adversely affect deployed controls by permitting improper changes to computer objects, or permitting unauthorized transaction processing negatively impacting business decisions.
Dynamic homeostasis is steady state achievement by a relatively open system. This condition is the result of receiving input from outside the system that is at least equal to the sum of system output and resource expenditure. Thus, a for-profit entity must earn profits in the long run to continue as a functional concern and to grow. In fact, all organizational units are open systems to a degree because none can operate without some interaction with the surrounding environment.
Control planning allows forecasting future organizational direction and relevant influences as well as deriving the best strategy for accomplishing control objectives (considering the entity’s strengths, weaknesses and foreseeable trends). Furthermore, the control planning process translates strategy into measurable and operational plans as well as retranslating operational plans into policies, procedures, directives, standards, and rules. Management’s environmental risk assessments can determine control implementation criticality.
1.1 Control Environment
“…culture determines the behaviour of people in an organisation and should, therefore, be used to influence the behaviour of people with regard to information security.” – Kerry-Lynn Thomson and Rossouw von Solms
Most entities operate in an environment that is influenced by perceived stakeholder values; the entity’s mission, vision and values; community and organizational ethics and culture; applicable laws, regulations and policies; as well as industry practices. When interacting with the environment, organizational units endeavor to maintain their basic culture while attempting to control external and internal factors impacting programs, systems, and processes dedicated to pursuing the entity’s mission. In systems theory, this characteristic is known as dynamic homeostasis. Contextually, ‘dynamic’ means that homeostasis is achieved even though the system is in a constant state of variable activity. Consequently, in response, organizational units generally rely on adaptive processes for appropriate responses to cope with changing environmental circumstances.
Usually, a formal ISG program is required to promote information assets safeguarding. ISG programs should ensure the Control Objectives for Information and related Technology (COBIT) framework confidentiality, integrity, availability, compliance, and reliability information criteria are not compromised through gaps in controls. Therefore, the information security program and associated systems, processes and activities need to be regularly assessed for quality and compliance with defined requirements. Monitoring and evaluating information security drives assurances provided or obtained through due care and due diligence as well as enables managerial fiduciary oversight expectations fulfillment.
Whether ISG is considered a distinct governance classification supporting entity governance or a subset of information technology governance (ITG), safeguarding IT normally mandates addressing responsibilities separation and ‘protection-of-information-assets’ to ensure managerial due diligence. Typically, safeguarding information assets translates into ensuring resources are acquired, utilized and disposed of in accordance with proper procedures and approvals. If ISG is misaligned with entity-governance and ITG; financial, legal, operational and reputational risks can escalate beyond demarcated tolerance levels. In fact, a functional entity’s very existence may be dependent on how well it safeguards assets utilized in achieving the adopted organizational mission.
Acquisitions and implementations are necessary for adequate information security. To realize the information security strategy, information security solutions need to be identified, developed or acquired, as well as implemented and integrated into business and IT processes seamlessly. During an information security product or service acquisition and implementation cycle, changes and maintenance may be required to sustain continued service quality for impacted systems or processes.
Within an entity’s organizational structure, providing acceptable service delivery necessitates the installation of an effective support system. Information security service delivery and support may range from operational protection deployment to crisis response training. However, assessing changes in, and maintenance of, existing systems are critical security service components contributing to delivery value. Required information protection changes and maintenance can be induced through various problems encountered by users or deliberate attacks on the established information security architecture.
Instituting and/or sustaining ISG requires comprehensive planning and organizing; robust acquisitions and implementations; effective delivery and support; as well as continuous monitoring and evaluation to address the myriad of managerial, operational, and technical issues that can thwart satisfying an entity’s mission. Consequently, “[i]nformation security requires a balance between sound management and applied technology.” Sound management enables assuring adequate asset safeguarding, while applied technology can introduce efficiencies for addressing potential external or internal threats.
Planning and organizing is imperative to managerial cohesiveness. ISG usually occurs at different organizational strata, with team leaders reporting to and receiving direction from their managers, with managers reporting up to an executive, and the highest-level executive conferring with and receiving direction from the entity’s oversight committee. Information that indicates deviation from targets will usually include recommendations for action requiring endorsement by the entity’s oversight layer. Transparently, this approach is ineffective unless strategies, objectives and goals have first been developed and deployed within the entity’s organizational structure.
Chapter 1: Information Security Governance
“The information possessed by an organization is among its most valuable assets and is critical to its success. The Board of Directors, which is ultimately accountable for the organization’s success, is therefore responsible for the protection of its information. The protection of this information can be achieved only through effective management and assured only through effective board oversight.” – A Call to Action for Corporate Governance, March 2000
Most entities actively seek maximizing stakeholder return on investments and fostering superior customer relations to sustain creation justification. With information technologies considered indispensable to providing processing efficiency, communication expediency and information reliability for stakeholders and customers; entities need to adequately safeguard information assets, since they have measurable value. To accomplish this security necessity, management normally needs a governance framework that enables organizational alignments, judicious resource allotments, risk management, value delivery and performance measurements.
Network-based intrusion detection captures traffic and performs analyses to identify notable events. If placed at the front-end IT perimeter, the properly configured network-based IDS will detect all externally initiated attack attempts, even where the firewall subsequently permits malicious packets to ingress. As an alternative configuration option, an IDS can be placed between a firewall and the internal network, where it will only evaluate firewall passed traffic.
Effective information assets protection (IAP) technologies are valuable defense mechanisms for combating inappropriate and malicious behavior. Therefore, information security personnel should identify and evaluate deployed configuration management tools that ensure an entity’s network infrastructure maintains data integrity and availability.
Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.
Anomaly intrusion detection monitors network segments to compare the current state to the previously determined normal baseline and indicate unusual situations. Anomaly based detection can focus solely on protocols. Under this circumstance, protocol anomalies analysis exposes attacks a signature-based IDS is likely to overlook; however the false-assessment rate is often higher than other intrusion detection approaches. Statistical patterns or profiles are frequently the better means to detect insider IT attacks. However, cunning users can intentionally modify their statistical patterns or profiles to masquerade malicious activities. Additionally, a large amount of processing capacity is usually required for anomaly intrusion detection.
Host-based intrusion detection generally provides passive individual IT activity examinations. The Host-based IDS can employ system log data, resource utilization, modification or deletion of files, abnormal privilege escalation, as well as other indicators to note potential attacks for a particular IT.
Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.