[ISN] IT and compliance: A risk management 'odd couple'

From: InfoSec News (alerts@private)
Date: Mon Jul 02 2007 - 23:12:23 PDT


By Danny Bradbury
2 July 2007

Handling compliance and risk have become inescapable elements of the 
modern CIO's role as they strive to ensure the business can forge ahead 
while not exposing areas of weakness or potential liability. Danny 
Bradbury explains the dilemma...

Compliance can be a daunting word for IT managers. Ultimately, it's 
about managing risk exposure at a broad level. So what can IT directors 
do to satisfy the rest of the board, especially given that regulations 
are mostly vague, principle-based affairs?

Be thankful for vague rules.

The few regulations that meddle with operational specifics aren't 
generally helpful security guides, argues Michael Barrett, chief 
information security officer at PayPal.

For example, the industry-enforced PCI-DSS standard for credit card 
payment handlers specifies conditions such as the application and 
configuration of personal firewalls. Barrett dislikes personal firewalls 
because uneducated users often make the wrong decisions when told that 
'application nettaxi.exe is trying to access outbound port 142'.

"Many organisations choose to simply not use them," says Barrett. "So 
then the auditors put you through this huge wringer."

PayPal got onto the board of the PCI advisory council to address issues 
such as these.

Even the more principle-based rules can cause problems because they 
often aren't harmonised, says Stuart Okin, UK lead for security at 
Accenture. They can become contradictory, especially when spread across 
different regions. Cut out the noise, says Okin: "Decide what the most 
important thing is that youre going to protect, and then decide what 
architecture youre going to supply."

Those parameters have to be defined at a strategic and tactical level 
before you start buying point solutions to shore up your infrastructure.

Technology isn't the starting point, explains John Pironti, a member of 
the education board for the Information Systems Audit and Control 
Association and chief risk strategist at IT services firm Getronics.

"The first step is to perform a threat and vulnerability analysis on the 
organisations information infrastructure - all of the processes, 
procedures, standards, people and technologies that support the use, 
transport and storage of data and information," he says. After this you 
can get to the vulnerability management plan.

PayPal, which is heavily regulated by the banking industry, starts with 
this vulnerability analysis across the whole firm before drilling down 
to do the same with the IT department, says Barrett. On his enterprise 
risk 'heat map', he always finds that IT ends up as a risky area.

"We then drill down into that particular information security area using 
whatever standards there are as a framework. We use ISO 17799 and ISO 
27001 at this layer to help govern our managed security programme," he 

ISO 17799 (expected to be renamed ISO 27002 this year) provides a set of 
best practices for security, in areas including compliance. ISO 27001 is 
a certification standard to ensure that theyve got it right.

"No-one ever gets 100 per cent scores on those things, because if you 
did you're probably overinvesting in the area," he warns. "It's about 
getting the risk into an acceptable tolerance but not spending more than 
you need to." That process involves matching the value of the data at 
risk to the amount youre spending on protecting it.

But how does all that influence operational procedures? Encryption is 
proving a popular technology to protect data, says Pironti, adding that 
companies are deploying it for volatile environments where controls 
aren't easily available (such as mobile data). This probably would have 
saved the Nationwide Building Society the fine of almost a million 
pounds that it had to pay when a laptop containing unencrypted data was 
stolen from an employee's home.

But the other way to tighten up security controls is to refine your 
overall IT practice using service and management strategies like ITIL 
and CoBIT, says Pironti. These frameworks help to govern basic practices 
such as patch management, for example.

Even if such schemes aren't rigidly applied, a better understanding of 
IT processes has become important to security.

Accenture's Okin says: "Three or four years ago, people wouldn't 
understand simple stuff around patch management. That's changed, so that 
most of our clients have a strong handle on applying risk methodology 
and understanding when they're going to patch."

But when considering risk, IT management practices such as these are 
basic table stakes.

Clive Longbottom, analyst at Quocirca, argues that risk management is no 
longer simply about locking down system resources. Security for 
compliance purposes has to be considered in the wider corporate context 
of roles and relationships (not least because when considering broader 
enterprise risk, youre looking at internal controls that focus around 
people, rather than nodes on the network).

"It's then better linkable into organisational structure and process," 
says Longbottom. "You have the role and responsibilities of the person, 
and what theyre doing at any one time. Once you bring those vectors 
together, you have that binary of 'yes, you can do this' or 'no, you 

For example, a marketing person might only need to see a subset of 
files, and might only be allowed to view them while theyre in the 
office. The CEO might need to view all of them, and may be allowed 
access from his laptop at home, but even he might not be allowed to 
access them from a public wi-fi hotspot.

Mapping privileges to people in this way also makes it easier to 
introduce a fundamental risk management concept into the IT practice: 

"This is the enhancement of adding identity and logging capabilities to 
all processes which touch sensitive data," says Pironti. "This gives an 
organisation a credible view of who touched data and what they did. It's 
a passive control, but it allows organisations to perform more effective 
root cause analysis in the case of an information security event or 

The technology behind these basic operations - which email archiving, 
activity logging and configuration management products you use - are 
less interesting and challenging considerations than the altered working 
practice that they're going to support. Pushing accountability 
throughout an organisation requires a major cultural change that goes 
beyond the installation of an Active Directory database and a single 
sign-on system. It brings into play challenges such as enforcing best 
security practice at an individual level, perhaps by tying it to 
performance reviews, for example. These are issues that Barrett says 
even PayPal hasnt fully tackled yet.

Making those decisions highlights a popular misconception about IT risk 
management. You never stamp out risks. They always exist, and boards are 
paid to take them. How much risk you take when complying with 
interpretive regulations is something that the IT department must work 
through with the board. Doing that requires that you speak the boards 
language. Handling that translation may be the hardest job of all.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 02 2007 - 23:22:55 PDT