http://www.silicon.com/research/specialreports/riskmanagement/0,3800013989,39167694,00.htm By Danny Bradbury 2 July 2007 Handling compliance and risk have become inescapable elements of the modern CIO's role as they strive to ensure the business can forge ahead while not exposing areas of weakness or potential liability. Danny Bradbury explains the dilemma... Compliance can be a daunting word for IT managers. Ultimately, it's about managing risk exposure at a broad level. So what can IT directors do to satisfy the rest of the board, especially given that regulations are mostly vague, principle-based affairs? Be thankful for vague rules. The few regulations that meddle with operational specifics aren't generally helpful security guides, argues Michael Barrett, chief information security officer at PayPal. For example, the industry-enforced PCI-DSS standard for credit card payment handlers specifies conditions such as the application and configuration of personal firewalls. Barrett dislikes personal firewalls because uneducated users often make the wrong decisions when told that 'application nettaxi.exe is trying to access outbound port 142'. "Many organisations choose to simply not use them," says Barrett. "So then the auditors put you through this huge wringer." PayPal got onto the board of the PCI advisory council to address issues such as these. Even the more principle-based rules can cause problems because they often aren't harmonised, says Stuart Okin, UK lead for security at Accenture. They can become contradictory, especially when spread across different regions. Cut out the noise, says Okin: "Decide what the most important thing is that youre going to protect, and then decide what architecture youre going to supply." Those parameters have to be defined at a strategic and tactical level before you start buying point solutions to shore up your infrastructure. Technology isn't the starting point, explains John Pironti, a member of the education board for the Information Systems Audit and Control Association and chief risk strategist at IT services firm Getronics. "The first step is to perform a threat and vulnerability analysis on the organisations information infrastructure - all of the processes, procedures, standards, people and technologies that support the use, transport and storage of data and information," he says. After this you can get to the vulnerability management plan. PayPal, which is heavily regulated by the banking industry, starts with this vulnerability analysis across the whole firm before drilling down to do the same with the IT department, says Barrett. On his enterprise risk 'heat map', he always finds that IT ends up as a risky area. "We then drill down into that particular information security area using whatever standards there are as a framework. We use ISO 17799 and ISO 27001 at this layer to help govern our managed security programme," he says. ISO 17799 (expected to be renamed ISO 27002 this year) provides a set of best practices for security, in areas including compliance. ISO 27001 is a certification standard to ensure that theyve got it right. "No-one ever gets 100 per cent scores on those things, because if you did you're probably overinvesting in the area," he warns. "It's about getting the risk into an acceptable tolerance but not spending more than you need to." That process involves matching the value of the data at risk to the amount youre spending on protecting it. But how does all that influence operational procedures? Encryption is proving a popular technology to protect data, says Pironti, adding that companies are deploying it for volatile environments where controls aren't easily available (such as mobile data). This probably would have saved the Nationwide Building Society the fine of almost a million pounds that it had to pay when a laptop containing unencrypted data was stolen from an employee's home. But the other way to tighten up security controls is to refine your overall IT practice using service and management strategies like ITIL and CoBIT, says Pironti. These frameworks help to govern basic practices such as patch management, for example. Even if such schemes aren't rigidly applied, a better understanding of IT processes has become important to security. Accenture's Okin says: "Three or four years ago, people wouldn't understand simple stuff around patch management. That's changed, so that most of our clients have a strong handle on applying risk methodology and understanding when they're going to patch." But when considering risk, IT management practices such as these are basic table stakes. Clive Longbottom, analyst at Quocirca, argues that risk management is no longer simply about locking down system resources. Security for compliance purposes has to be considered in the wider corporate context of roles and relationships (not least because when considering broader enterprise risk, youre looking at internal controls that focus around people, rather than nodes on the network). "It's then better linkable into organisational structure and process," says Longbottom. "You have the role and responsibilities of the person, and what theyre doing at any one time. Once you bring those vectors together, you have that binary of 'yes, you can do this' or 'no, you can't'." For example, a marketing person might only need to see a subset of files, and might only be allowed to view them while theyre in the office. The CEO might need to view all of them, and may be allowed access from his laptop at home, but even he might not be allowed to access them from a public wi-fi hotspot. Mapping privileges to people in this way also makes it easier to introduce a fundamental risk management concept into the IT practice: accountability. "This is the enhancement of adding identity and logging capabilities to all processes which touch sensitive data," says Pironti. "This gives an organisation a credible view of who touched data and what they did. It's a passive control, but it allows organisations to perform more effective root cause analysis in the case of an information security event or incident." The technology behind these basic operations - which email archiving, activity logging and configuration management products you use - are less interesting and challenging considerations than the altered working practice that they're going to support. Pushing accountability throughout an organisation requires a major cultural change that goes beyond the installation of an Active Directory database and a single sign-on system. It brings into play challenges such as enforcing best security practice at an individual level, perhaps by tying it to performance reviews, for example. These are issues that Barrett says even PayPal hasnt fully tackled yet. Making those decisions highlights a popular misconception about IT risk management. You never stamp out risks. They always exist, and boards are paid to take them. How much risk you take when complying with interpretive regulations is something that the IT department must work through with the board. Doing that requires that you speak the boards language. Handling that translation may be the hardest job of all. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 02 2007 - 23:22:55 PDT