Information security—the assurance of system availability, data confidentiality, and integrity—has become a serious concern in today’s more open and interconnected business environment. However, the need to resolve this concern presents a clear opportunity for enterprises. With the right strategic plan and a sound management approach, organizations can leverage their investments in information security to improve other business processes throughout the extended enterprise.
Business process improvement is already important for effective information security. In the near future, it will become crucial. The World Wide Web, Web services, peer-topeer systems, grid computing, and the increasing general availability of information technology—all intended to make information access easier—are creating a rapidly increasing number of vulnerabilities. As a result, the need for better security is compelling enterprises to redesign their business processes merely to close this vulnerability gap.
The advent of Web applications allowed attackers to circumvent conventional firewalls, a serious problem in itself. Web services multiply Web-related vulnerabilities as individual self-describing messages become conduits for attacks, and directory resources become vulnerable across many domains. Grid computing promises to make untapped private resources a public commodity, a plan that has obvious security implications. One initial approach to securing grids proposes the use of public key infrastructure (PKI). This could imply that grids would use the same thin security layer for very large virtual information stores, violating the rule of compartmentalization and therefore clearly increasing the level of risk.
In today’s Web-enabled environment, any passive, static approach to security is inadequate. Good security is a dynamic process, fully integrated with other business processes. To confront the multitude of vulnerabilities in today’s enterprise computing environments, organizations must take an actively managed, end-to-end approach to information security.
The New Role for Information Security
A new, comprehensive and integrated approach to security automatically lends itself to the creation of a unified business process that can enhance communications, increase productivity, and lower costs. Instead of merely building a wall of security, enterprises can instill security in processes that also benefit the extended organization in many other ways.
This integration of security and other business objectives helps enterprises meet the dual imperatives of protection and enablement, creating a way to improve security while also managing the people, processes, and technologies of the extended enterprise.
■ Security Controls
The use of internal controls has changed radically in response to regulations that impose strict governance, financial disclosure, accounting, and information security requirements on corporations. Controls can be manual or automated, as simple as regularly generating reports and reviewing them, or as complicated as preventing particular classes of users from changing a data field on a specific screen of an enterprise application. Organizations prefer automated controls when possible to reduce the possibility of human error.
The segregation of duties in an enterprise resource planning (ERP) system provides a basic example of an internal control: The person responsible for creating a vendor record or a purchase order is not the same person who pays the invoice for the purchase order. In the case of information technology (IT) personnel, access control through segregation of duties is particularly important to prevent unauthorized changes to sensitive information such as the payroll database, for instance.
In the United States, the Sarbanes-Oxley Act of 2002 has imposed substantial internal control requirements on securities issuers who must file reports with the Securities and Exchange Commission. These issuers include not only U.S. entities but also non-U.S. entities that market securities in the United States. Section 302 of the Act requires chief executive officers (CEOs) and chief financial officers (CFOs) to disclose internal control deficiencies, material weaknesses and any occurrence of fraud, material or otherwise. Section 404 of the Act requires an assessment report of the internal controls structure and procedures.
To comply with these regulations, most companies rely on the Committee of Sponsoring Organizations (COSO) framework of the Treadway Commission to help them ensure that sound internal controls are in place and functioning properly. Components of this framework are risk assessment, control activities, information and communication, and monitoring.
■ Identity Management
Identity management (IdM) is the process of providing the right people with the right access at the right time to information systems and other organizational assets. The main components of IdM include the following:
• Authentication—Verifying a user’s (or a system’s) identity.
• Access control—Permitting access only to authorized resources.
• Directory management—Storing user identity information and related configuration, rule, and policy information in a centralized repository.
• User management—Creating, maintaining, changing, and deleting the digital identities of users.
In practice, identity management has its limits. Few enterprises can fully centralize their identity information, and as a result they cannot totally achieve the conceptually simple goal of single sign-on. Even so, identity management can substantially reduce the need for multiple sign-on and has the clear benefit of streamlining human
resources, IT, and other business processes. Federated identity management, managing identities across a collection of domains—partners, suppliers, customers—to enable single sign-on throughout the federation, promises even greater benefits.
Authentication methods vary widely. Fundamentally, any authentication approach that uses more than a shared secret (such as a simple password) is called multifactor or strong authentication. Most companies do not see the need for strong authentication in low-risk situations, but greater use of embedded PKI, national security concerns, and the use of building access cards that double as personal computer (PC) access cards will encourage the increased use of strong authentication.
Long-anticipated biometric identification methods still have relatively low levels of adoption. Most biometric systems in use authenticate users by scanning fingerprints; other biometric systems in use include facial, retina, iris, and hand scanning, as well as by voice recognition. The high cost of reader devices and implementation is a factor that inhibits adoption not only of biometrics, but also of authentication smart cards and hardware tokens. However, the appearance of universal serial bus (USB) tokens and finger print scanners for user authentication should bring economies of scale to these biometric products.
Access control can be user based, role based, rule based, or any combination of the three. Role-based access control (RBAC) is relatively scalable, but imposes considerable setup costs to align workflows and roles. For this reason, RBAC is best suited for organizations that have many users and sound business processes. Once RBAC is established and a user’s responsibility is linked to a process (which implies a set of system permissions), the user management process is greatly simplified, enhancing both productivity and security.
Directories and provisioning are at the heart of user management. A metadirectory is a data sharing and synchronization tool that aggregates identity information in a single repository. Provisioning is the automation of user management. When well designed and implemented, provisioning leverages the power of a unified directory. Organizations can create and manage user accounts, notify the users, and automatically assign permissions and access restrictions to a full range of organizational resources.
Identity federation extends the validity of user credentials beyond organizational boundaries by creating a trust network. All organizations in the network use interoperable identity management procedures and processes and agree to accept each other’s credentials. Because the security of any federated system is only as strong as its weakest link, a foundation of control assertions and trust certification used by all participants is necessary to ensure a trustworthy system. Other trust infrastructure processes, including risk management, liability management, dispute resolution, and compliance requirements, must also be established. For this reason, trust infrastructures are difficult to start, but the credit card industry provides a successful example to follow. The Liberty Alliance Project is a prominent example of an identity federation effort.
IDENTITY MANAGEMENT AND PRIVACY LAWS
A variety of privacy laws now compel organizations to ensure that their information systems provide data privacy. Many privacy laws, at least in spirit, oppose the notion of centralized user information repositories, which are a primary component of identity management systems.
Governments at all levels can and do enact privacy laws, which complicates compliance efforts. In addition, jurisdiction of privacy laws in a business context can be more expansive than some other forms of legal jurisdiction. As a consequence, organizations should conduct a jurisdictional risk assessment that includes a data map identifying geographically where each privacy law applies to an organization’s operations. Organizations should then use that risk assessment when building privacy compliance into their identity management systems.
International privacy laws (the European Union [E.U.] Data Protection Directive is a prime example) restrict transborder flows of personally identifiable information. Exceptions can be granted in some cases, such as the vital interest of the individual, for example, but organizations must institute controls to comply with these laws.
■ Technology Infrastructure Security In the era of the Web, a mere perimeter defense of an enterprise’s IT resources is inadequate. Components of a traditional perimeter and network security infrastructure, such as firewalls and virtual private networks (VPNs), are now being combined with system, application, and data protection methods in a multidimensional approach to infrastructure security.
FIREWALLS Personal and wireless firewalls are gaining popularity, expanding both the scope and number of firewalls that organizations use. New kinds of firewalls now augment the network-layer, packet-filtering variety. Application-level firewall capabilities have become important to protect against attacks that use the Hypertext Transport Protocol (HTTP) to bypass network-layer firewalls. These firewalls inspect packets at the application level, rather than the network layer. Deep packet inspection, which examines content inside the application payload for malicious code, is now a feature of some products. These methods introduce more latency into network traffic, and vendors have responded by developing faster network processors to accelerate both inspection and filtering.
INTRUSION DETECTION SYSTEMS
Firewalls are also absorbing more of the functionality of intrusion detection systems (IDSs), which monitor user and system activity in a passive mode, analyzing anomalous behavior and logging policy violations. IDSs also issue alerts when they detect anomalies. Because normal enterprise information system behaviors can vary widely and normal and abnormal behaviors are difficult for IDSs to differentiate, anomaly detection is imperfect. As a result, IDSs are known for generating false alerts. Instead of simply generating alerts, intrusion prevention systems (IPSs) can block attacks directly. IPSs, however, are still in the early stages of development. These systems have been known to mistakenly block legitimate traffic, or allow intruders to deliberately trigger blocking as a form of a denial of service attack.
VIRTUAL PRIVATE NETWORKS
VPNs continue to provide reasonably good security between endpoints, allowing organizations to expand their perimeter of trust. However, they can be cumbersome and slow. Many kinds of VPNs create an encryption tunnel by encapsulating packets in an additional protocol before transmission, most often over the Internet. Among these, Internet Protocol Security (IPSec) VPNs are the most common, and have proven to be useful for providing access to applications.
Secure Sockets Layer (SSL) VPNs gained popularity in 2003. These VPNs do not require a separate client other than a Web browser and they are less expensive and easier to install than IPSec VPNs. However, SSL VPNs have the security limitations associated with browsers.
Many carriers now offer Multiprotocol Label Switching (MPLS) VPNs, which use packet label switched paths. These VPNs are deployed as a network by a single service provider; in contrast, IPSec and SSL VPNs are deployed as a set of point-to-point links. The paths themselves are used to create private networks, a technique similar to closed frame relay networks. However, MPLS IP VPNs increase routing table complexity and the need for special attention to router and switch security. For these reasons, most carriers offer Layer 2 implementations of MPLS VPNs.
WIRELESS LOCAL AREA NETWORKS
Wireless access, which has become much more popular with the advent of wireless fidelity (Wi-Fi) local area networks (LANs) based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards, adds another dimension of complexity to the security problem. One response to this problem is to implement multiple security layers. For example, organizations could use an additional authentication layer and application-level security, or they could use media access control (MAC) address filtering to restrict wireless LAN (WLAN) access to only an approved set of client devices.
The problem of rogue access points, installed by employees without notifying IT departments, underscores the need to establish effective security policy management, including frequent compliance testing and adequate enforcement. Proper wireless client configuration, such as enabling Wired Equivalent Privacy (WEP) using the longest available key length and disabling file and disk sharing, is also essential.
Although the IEEE 802.11i standard for security of WLANs is still in flux, some vendors have replaced WEP, which has well-documented vulnerabilities, with the Wi-Fi Protected Access (WPA) developed by the working group but not part of a finalized standard. The forthcoming standard will include an encryption layer called the Robust Security Network, which may be branded as WPA2 when finalized. Regardless of the encryption standard in place, most WLAN intrusions simply exploit systems that are not properly configured or do not enable encryption at all.
Some application security has infrastructure implications. The security of ERP applications requires special attention to the underlying components of ERP, which include data stores, operating systems, and the network infrastructure. Preserving the integrity of ERP data requires appropriate controls at all these levels.
In 2003, organizations primarily used Web services internally because of numerous security and interoperability concerns. Acceptable business use outside the enterprise requires authentication and non-repudiation of individual Web service messages. To ensure interoperability and consistent policy management requires the establishment of a centralized, shared management framework. Security Assertion Markup Language (SAML) is a preliminary framework of this sort.
WS-Security, which is complementary to SAML, is a foundation for a set of Web services standards that are specified in a road map outlined by vendors including IBM and Microsoft. It allows the use of different credentials, and provides a general specification for the use of tokens with messages by using XML Signature and XML Encryption. XML Signature and XML Encryption can be used to sign and encrypt any files, not just those that contain Extensible Markup Language (XML).
■ Threat and Vulnerability Detection In the context of IT security, threats are hostile forces that could possibly endanger information assets, while asset vulnerabilities are susceptibilities to attacks on IT systems. Enterprises that anticipate these problems by using both threat and vulnerability detection, in addition to effective security information management, are best poised to minimize the effects of malicious attacks.
The number of threats and vulnerabilities is on the rise because of the increased use of distributed computing environments, which make it easier to conduct remote, anonymous, and large-scale attacks. Web services, grid computing, shared storage systems, and peer-to-peer applications are all elements of this distributed environment, and all further complicate the problem of security management. Consequently, thorough security policy development, dissemination, compliance, and enforcement become even more essential to ensuring system availability, data confidentiality, and integrity.
Threat detection activities include intrusion monitoring, malicious program identification, log activity analysis, and rogue technology discovery. Intrusion monitoring uses intrusion detection or prevention systems to generate intrusion alerts and prevent compromises. Log activity analysis allows organizations to identify and examine significant security events. For that reason, it is the first step in event correlation, which compares events across a range of assets. The amount of log data that is generated and stored is increasing, and as a result, the use of data warehousing techniques is becoming more common in security information management.
Rogue technology discovery, the identification of unauthorized hardware, software, or configuration changes, includes techniques such as port scanning to identify unauthorized network traffic. Because a number of rogue technologies are difficult to detect, security policy definition and dissemination, with strict penalties for employee noncompliance, is the first line of defense.
Although threats can be both external and internal, survey results indicate that internal threats are greater than the external variety. This fact underscores the insufficiency of mere perimeter security and the need for organizations to allocate sufficient resources to combat internal threats.
Vulnerability detection activities include compliance testing, vulnerability scanning, and operations availability analysis. Compliance testing requires an evidence gathering process so that compliance testers can document their findings. Vulnerability scanning takes a two-pronged approach: detecting common vulnerabilities, and detecting vulnerabilities that are unique to particular environments. Common vulnerabilities generally fall into three categories: defective software; poor system design, implementation, and operational practices; or failure to enforce security policies.
Security penetration testing, also called ethical hacking, uses simulated attacks to confirm the existence of vulnerabilities and demonstrate the potential impact of an attack, such as being able to read the CEO’s e-mail. Operations availability analysis reviews the factors that have a negative impact on availability—poor resource management, inadequate operational procedures, or natural disasters, for example— and seeks a solution within the framework of enterprise systems management (ESM).
■ Security Remediation A complete remediation strategy consists of three activities: security infrastructure implementation, remediation, and incident response.
Any infrastructure implementation plan should incorporate measures to address security concerns. Management should review the resources that must be protected and the threats to those resources and conduct a risk assessment. The planned system architecture should incorporate necessary security tools at the outset and establish systems management so that it includes the use of these tools.
Security remediation is the ongoing process of tasks such as correcting configuration problems and applying vendor-supplied updates (known as patches) that correct security deficiencies. Companies set remediation priorities based on asset classification activities, so that high-value assets are given the highest level of protection. However, the case of the SQL Slammer worm demonstrated that only one vulnerable machine was necessary to expose an entire internal network.
A security incident is any event that compromises, or could compromise, an organization’s security posture. The cost of such a compromise could be exceedingly high and even cripple the organization. For this reason, enterprises should adopt a proactive approach to incident response.
Proactive incident response involves the design, assembly, and testing of an incident response plan in preparation for a wide variety of compromises that could occur. The plan should anticipate all the main steps in an actual response process, including identification, classification, notification, response, assessment, and post-mortem. The assessment phase of the process relies on properly placed IDSs and rigorous data collection techniques so that a proper forensic analysis can take place and legal evidence can be developed for the purposes of prosecution. Much also depends on the training and management of the incident response team.
■ Security Information Management Converting security data to information that facilitates action is a difficult process because of the disparate security data sources that exist and the overwhelming amount of security-related data that is generated. Often, organizations decide not to generate activity logs because of the high cost of storing them and the amount of time necessary to review them.
The best way to review activity logs, in fact, is not one at a time, but by comparing output from multiple data sources, a process known as event correlation. This approach gives enterprises a better view of a given attack. Additionally, if people in different roles could use the information in different ways and view the information and level of detail most relevant to them, they could interpret the information better and make more informed decisions.
Security information management (SIM) activities are designed to resolve these problems. SIM systems aggregate security data from a variety of sources and help analyze, present, and distribute it in a useful form. To achieve this goal, organizations are looking to the security dashboard, which provides a high-level view of an organization’s security status. The dashboard functions in much the same way as business intelligence tools that companies use to aggregate, analyze, and distribute near realtime operations data to executives.
The dashboard can help organizations to reduce their incident response time, better allocate resources, and make more informed decisions. SIM tools also assist with asset classification, event correlation, standards and policies management, and reporting. These packages can report events in near real time, correlating several login attempts on different systems from the same IP address, for example.
Commercial security intelligence services help to consolidate and filter alert and vulnerability information, tailoring it to the needs of their customers. These services also monitor public Internet sources to alert customers to types of threats the customers specify. As these services evolve, they are expected to provide more information, such as tips on applying patches, rankings of threat and vulnerability levels, and combined threat and vulnerability alerts.
Information security is undergoing a fundamental transformation. Business leaders are taking a hard look at the risks and opportunities presented when data resides at the center of almost every core business activity in organizations across the world. No longer is security merely an administrative detail on the overhead budget, or a technical issue easily addressed with a popular, offthe-shelf technology product. During the last decade, for many organizations, security has risen rapidly to the top of the corporate agenda as a strategic business process that affects what organizations value most: their purpose, performance, and accountability to stakeholders
Meeting these performance objectives begins with recognizing the new business imperative that information security must directly support enterprise business objectives. To achieve this support, however, business leaders need to manage security endto-end across the enterprise, in a coordinated manner from the top down, through a disciplined and integrated approach that captures the full value of security. This represents the new standard in information security: a comprehensive and integrated endto-end security platform.
Five building blocks are essential to establishing such a platform: (1) an understanding of security and how it contributes value to an organization; (2) an appreciation for the external factors that continue to transform security’s role; (3) the identification of strategic elements that underlie any comprehensive and integrated approach to planning and implementing enterprise security; (4) a comprehensive model that specifically explains how the value of security is identified, created, captured, and sustained in an organization; and (5) a set of integrated security solutions that adapt this model to a specific organization’s objectives, generate a company-specific “vision of security,” create a strategic implementation blueprint, and deliver an end-to-end security platform.
This sequence, from concept to execution, is the most direct manner of addressing what security can offer enterprises, and as such, has been selected as the organizational framework for this book.
■ Understanding Information Security Today
Information security delivers benefits to many constituencies in a given organization. In the United States, the chief executive officer (CEO), for example, may be primarily concerned with meeting new obligations mandated by the Sarbanes-Oxley Act of 2002.
As a result, he or she may favor security initiatives that increase the integrity of internal controls. The sales manager may be more interested in identity management (IdM) and access control solutions that help customers access their account information from anywhere in the world. Information technology (IT) staff responsible for round-theclock system availability may prefer means of protection that make it harder for threats to exploit asset vulnerabilities. Each of these constituents, or internal buyers of security, will define security, its value, and its capabilities in a different way.
An integrated approach to security must provide a framework that prioritizes varying internal demands on security in a manner that best meets the needs of an organization. A first step in this direction requires a better understanding of how security is defined today and how it contributes value to an organization. A second step requires a grasp of one of the most frequently misunderstood dimensions in security: the relationship between security and privacy.
DEFINING INFORMATION SECURITY
Information security can be defined by its strategic role in business performance, its potential in enhancing the protection of information assets while enabling proper access to them, and the resource components that must be engaged to ensure its effectiveness. Security also can be defined as an increasingly important aspect of the relationship between an organization and its customers, partners, and employees.
Most importantly, security is a strategic business process for organizations because providing a balance of protection and enablement in line with business objectives will substantially improve operating performance. Forward-looking organizations that align security with enterprise objectives are more likely to translate security strategy into reduced costs of doing business, revenue enhancement, competitive advantage, and ultimately, shareholder value. Organizations that fail to align security with their business objectives will find their performance diminished and long-term viability threatened. This notion of security as a business enabler is now an essential concept for enterprises in every industry.
As a strategic process, security either protects an organization’s information assets from harm or misuse, or enables access to information assets in a manner that supports the organization’s objectives. Together, these two concepts—security as protection and security as enablement—comprehensively define the promise of security for organizations. The extent to which organizations address the tradeoffs between these two business imperatives will determine the integrity of their strategic alignment.
Security today is not based solely on technology, but is rather an integrated business solution based on a strategic combination of organizational resources, process, and technology. (See Figure1.) Without the rules, responsibilities, and procedures prescribed by process, and in the absence of the people that are required to manage and oversee these processes, investment in technology alone is an expensive failure. This concept of security as an integrated solution is essential to transforming security’s promise into a pragmatic, working security platform that delivers, over time, increasingly quantifiable business results.
As the role of security continues to evolve, executives are beginning to recognize that security is the first step in the relationship between an organization and its customers, partners, and employees. Security is now personal, because security now determines whether an individual’s request for access is granted or denied. This concept of security as gatekeeper carries enormous implications for organizations because trust is the foundation for trade, and the lack of appropriate access or treatment is a good reason to take business elsewhere.
THE VALUE OF INFORMATION SECURITY
Security’s role in organizations is evolving so fast that simply keeping up with its promise and potential is difficult for many organizations, particularly because many still focus significant resources on managing an outdated security infrastructure. Many organizations find it difficult to develop a mature vision of security because those most responsible for security decision-making lack consensus on precisely what constitutes the value of security.
The value of security is fundamentally based on the relationship between security and what an organization values most—its purpose and its performance. Consequently, the value of security depends on the extent to which security is aligned with an organization’s objectives. Security either contributes value to the enterprise when appropriately implemented, or drains value from the enterprise when its role is poorly anchored in the organization’s operating environment.
The value of security can also be expressed in terms of protection, enablement, and a balance between both imperatives.
With respect to protection, the value of security is directly related to the total value of damages and losses efficiently prevented. The concept of security as protection is similar to the concept of security as a means of mitigating risk. Organizations that approach security primarily from this perspective focus on solutions that address the identification of threats and vulnerabilities, as well as strategies to mitigate, prevent, and recover from the impact of negative security-related events upon operations.
The value of enablement is determined by IT-enabled improvement to relationships with customers, employees, and business partners in their ability to conduct business with a company. Organizations that address security primarily from this perspective focus on solutions that coordinate the enablement of users, processes, and the security infrastructure without exposing information assets to unnecessary risk.
Given the natural tension that exists between protecting information assets and enabling access to them, the value of security also depends upon the ability of an organization to strike a balance between the two goals. Additionally, enterprises must effectively manage risk by understanding what assets are critical to their business and then applying enablement and protection to those assets. Enterprises will maximize the value of security if these tradeoffs are determined through a disciplined and comprehensive process that aligns the security infrastructure with the organization’s mission.
SECURITY AND PRIVACY
Any discussion of information security should address the relationship between security and privacy, if only because the notions of security and privacy are intimately related, fundamentally different, and frequently confused.
From a consumer’s standpoint, privacy is the fundamental right of individuals to determine the collection and processing of their personal data and the right to have that information protected from unwarranted use or disclosure. From an enterprise standpoint, privacy encompasses the positions and policies intended to manage the aggregation, processing, storage, dissemination, and destruction of personal data.
Because security provides value only when aligned with business objectives, security must help an organization sustain the integrity of its stated position on privacy and the policies that translate this position into practical operating capabilities. Security provides this value by supporting privacy objectives both through protection and through enablement.
On the one hand, security supports privacy in a protective capacity by ensuring that when an enterprise collects, processes, stores, distributes, or destroys personal data, it does so in a secure and appropriate manner. Companies are frequently not aware of how much data their systems collect, its precise nature, and the potential costs if this information is not accorded the appropriate safeguards.
On the other hand, security supports privacy in an enablement capacity by helping organizations to use privacy as a means of differentiating their service or product offering, creating a competitive advantage, or enhancing their reputation and brand integrity through their commitment to building an implicit covenant of trust with customers and other stakeholders. There is growing evidence that consumers are increasingly interested in doing business with companies that they perceive to be strong, open, and trustworthy on privacy.
■ Trends Shaping the Demand for Information Security The role of information security is continually evolving in response to two sets of factors: the external forces that precipitate broad, market-based demand for security solutions; and the extent to which security decision-makers and planners understand how to extract the maximum value from what already represents, for many enterprises, significant expenditures on security point products that have yet to demonstrate a quantifiable return on investment.
With respect to external market forces, organizations are under pressure to continuously launch new business initiatives, meet new regulatory requirements, and resolve increasingly complex challenges associated with an expanding enterprise perimeter. Precisely how organizations respond to these challenges, however, is the most important factor in determining whether, and to what extent, the enterprise can succeed during the next several years in harvesting the full promise of security.
BUSINESS INITIATIVES AND DEMAND
Maintaining a competitive market position in any industry depends upon an organization’s ability to launch new business initiatives on a regular basis. These initiatives tend to focus on revenue-enhancing objectives such as increased customer satisfaction, greater workforce productivity, better supplier and partner integration, and more costeffective back office operations. Launching these initiatives, however, requires a strong Internet-based infrastructure that extends the enterprise perimeter, allows many different classes of users to access the enterprise network, and places valuable enterprise information assets at risk. Because launching these initiatives is a major business priority, developing the necessary IT infrastructure requires building up the appropriate security capabilities.
REGULATORY AND GOVERNANCE REQUIREMENTS
New business initiatives must be implemented, however, within the context of increasingly stringent legal and regulatory requirements. Recent U.S. legislation such as the Sarbanes-Oxley Act of 2002 mandates executive-level accountability for business integrity, while industry-specific regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) now require enterprises to implement additional security controls for the systems that collect, process, store, and report information.
This U.S. legislation follows even more wide-ranging European Union (E.U.) legislation. The E.U. Data Protection Directive of 1995, for example, has provisions for both data protection and access, although it is best known for its stringent data protection requirements. The cumulative impact of this legislation has executives focusing on the accountability for information security.
THE COMPLEXITIES OF THE EXTENDED ENTERPRISE
Ongoing business initiatives and more stringent regulatory requirements are all the more difficult to manage in a security environment that is increasingly complex and dangerous. The following trends keep raising the costs of implementing solutions, as well as the stakes if appropriate action is not taken.
Increase in Threats The growth in the number of potential threats has accelerated, even as the sophistication in hackers’ skills necessary to exploit vulnerabilities has declined precipitously.
Increase in Vulnerabilities The lines of code in operating systems and applications have increased by several orders of magnitude—creating a breeding ground for malicious code, and a more complex environment for patches.
Increase in Access The pressure to keep extending the boundaries of the enterprise builds as each additional point of access emerges through new handheld devices, wireless networks, and virtual private networks.
Increase in Identities On a global basis, organizations must now manage more identities—not only in their own workforce, but also in those of their suppliers, business partners, and customers.
THE PRICE OF COMPLACENCY
Far too many organizations respond only to security events and then find themselves on a rapidly escalating security threat and response cycle. As a result of this approach, many organizations unintentionally but chronically underfund basic security functions. When an incident occurs, resources are pulled away from standard operating functions, and inefficiencies spread across departments. For example, because many companies do not yet have dedicated incident response staff, personnel are temporarily reassigned from system and network administration teams when a security breach is identified. Much of this disruption is unnecessary if an organization adopts a comprehensive and integrated approach to security.
ENABLING ACCESS TO INFORMATION
One of two business imperatives in security is for organizations to develop capabilities that enable appropriate access to information assets while safeguarding them at the same time. In the past, an organization simply had to maintain a hard, fixed perimeter to secure its assets. Today, the extended enterprise perimeter allows thousands more users, such as business partners, suppliers, customers, and employees working off-site or at home, to reach into the enterprise from almost anywhere in the world.
Important security objectives in enabling access include ensuring that only the appropriate people gain controlled access to resources; establishing a single view of the user across the enterprise; and meeting these requirements with a comprehensive, integrated, and cost-effective approach Many of the technical challenges in implementing these objectives lie in the difficulties of managing identities, technical infrastructure, and related business processes within the constraints imposed by a fragmented and outdated security architecture.
In companies that have yet to establish an integrated solution, users who require access are simultaneously working on many different systems and accessing data from multiple locations. Each user has a different password and privileges for each discrete system. Each time a customer, vendor, or employee changes status, jobs, or assignments, a member of the IT administrative staff must add or delete privileges, an inefficient process that drains staff time, drives up administration costs, and increases the risks associated with delayed provisioning or incorrect data entry from a manually administered system. Furthermore, when system components malfunction, workaround solutions are often configured without a complementary relationship to other components of the security platform. Over time, this practice results in the high costs and unmitigated risks associated with a fragmented IT architecture.
The second business imperative in security is ensuring the integrity, privacy, confidentiality, and availability of an organization’s information assets—assets that are frequently essential to enterprise performance, exclusive to the organization, or subject to privacy requirements.
Important security objectives in protecting information assets include developing the appropriate capabilities to identify threats or attacks that attempt to exploit asset and technology vulnerabilities; identify vulnerabilities in assets before they can be exploited; mitigate the threats and vulnerabilities that have been identified; and generate and report usable security information to either internal or external constituencies in a timely manner.
For many enterprises, the challenges in building effective capabilities in protection are based on the fact that many enterprises still depend on outdated security architectures that are a collection of poorly integrated point products. These products focus on different components of the threat and vulnerability spectrum and are rarely configured to communicate with one another. Far too often, the integration of these products with enterprise business processes and internal roles and responsibilities is weak, poorly supported, or simply absent. But more importantly, whenever a point product drives an implementation, the solution becomes technology based, and without the support of process and organizational resources, the solution is unsustainable. Because cross-product coordination is poor, enterprises must commit many resources to managing the capabilities in individual departments. This approach results in high costs and operating inefficiencies that siphon value from an organization over time.
What point products do generate, particularly intrusion detection systems for example, is data—huge volumes of data on a daily basis. This deluge of security-related data creates critical resource issues: Organizations either fail to utilize the data because they lack the resources to filter, interpret, and prioritize the data so that it can be turned into usable information. Or they waste valuable resources reviewing discrete data sources that do not provide a comprehensive view of threats and vulnerabilities.
IT managers may elect to reconfigure sophisticated technologies to avoid receiving data they cannot manage. This increasingly widespread practice obviates the benefits that justified the original technology purchase and leaves the enterprise to struggle with a new list of problems. These problems can include false-positive reports as well as the attendant operational dislocations and costs when expensive incident recovery procedures are activated. Of even greater concern is the fact that real incidents remain hidden and untracked.
Organizations have deficits in protection that are strategic in nature. For example, without centralized security information management (SIM) capabilities, IT managers cannot use newer data correlation technologies necessary to detect and prevent the latest complex coordinated attacks. Neither can managers generate the metrics necessary to measure actual performance, establish benchmarks, and engage in continuous improvement. Furthermore, disparate data sources make timely and accurate reporting far more difficult, which means that critical security data is not reaching strategic decision-makers. Other capability gaps include, in some cases, an inability to prove regulatory and risk management compliance, and an inability to establish the audit trails necessary for forensics and the mitigation of future incidents.
The best means of addressing these capability shortfalls is in adopting an integrated approach to security. Managers are starting to understand that the key in harvesting the most value from protection is now in extracting value from the data stream. Raw data does not help businesses solve problems—information does. As a growing number of managers are beginning to recognize, translating this data into information requires an integrated solution that, among other capabilities, aggregates, sifts, and prioritizes data through a centralized approach to SIM.
CUMULATIVE RETURN ON INVESTMENT
In many industries, business managers are examining their cumulative investment in security technologies during the last several years, and wondering why the value of the investment has not yet materialized and how to proceed with security investments from this point forward. Confused by their failure to see the value of security, some managers are susceptible to growing misconceptions about the capabilities of their security platforms. These misconceptions at best can mislead future security investments, and at worst may present enterprises with additional risk exposure.
For some executives, the vast investment in security has fostered a false sense of security—a misguided confidence that their information access and protection requirements are being met. Convictions such as these inflate the expectations placed on chief information officers (CIOs) and chief security officers (CSOs) asked to deliver on the promises of new technologies without the support of the integrated platform architecture necessary to deliver actual results. In some cases, these inflated expectations may hasten the departure of the technical people most qualified to help the enterprise properly address its security agenda.
In other cases, executives are still looking for empirical evidence that the heavy investment they authorized for the last wave of point products is paying off. These managers prefer to see more rigorous standards applied to the approval of future security initiatives. Based in part on this viewpoint, these executives pressure their IT staff to justify new security initiatives in terms of quantifiable return on investment. That strategy may make sense when enterprises seek new capabilities in less complex environments. In security, however, pushing too early for quantifiable returns can jeopardize necessary investment in the supporting security components that accelerate end-to-end integration and the higher return on investment that accrues when the cumulative value of the broader security platform falls into alignment.
DEMAND FOR END-TO-END SOLUTIONS
Demand for comprehensive and integrated answers in security is now higher than it has ever been because managers are not getting the results that they need. At the planning level, directors, CEOs, and CIOs are having difficulty resolving strategic business issues relating to security. They do not have the command necessary to help implement solutions end-to-end across the enterprise; the control necessary to face new regulatory requirements with confidence; and the metrics and reporting platform needed to demonstrate return on investment and to improve security management over time.
At the operational level, network and system managers are having difficulty with technical issues: the costs and inefficiencies of manually administered systems for both enablement and protection; the heavy streams of data generated from their point technologies; and the inability to convert this data into meaningful information on a timely basis.
These challenges illustrate that today, enterprises are not only poorly served by their current product-based security management platform, but also are unable to command the end-to-end solution that both their security environment and strategic business objectives require.
■ An Integrated Approach to Security Planning and Design Some forward-looking executives are beginning to recognize that their past investment in security point products simply represents the first stage of a long-term commitment to building a fully integrated security platform. These executives are now realizing that their investments to date in technology point products have not been misguided, they are merely incomplete.
THE PRIMARY OBJECTIVES OF AN INTEGRATED SECURITY SOLUTION
To realize the expected return from these commitments, organizations must meet four primary objectives essential to the success of comprehensive information security planning and design.
Support the Achievement of Business Objectives The primary objective for an integrated security solution must be to align security in the manner that best supports the enterprise’s ability to achieve its strategic objectives. As rudimentary as this may appear, the practical reality is that far too many security initiatives are launched for one purpose and are then technically configured for an entirely different purpose.
Build the Appropriate Capabilities in Protection Integrated security planning must achieve the capabilities in protection necessary to safeguard an organization’s information assets from harm or misuse in a manner that is fully aligned with the organization’s business objectives, and appropriately balanced with the enterprise’s enablement requirements.
Build the Appropriate Capabilities in Enablement Integrated security planning must achieve the capabilities in enabling access to critical information assets in a manner that is fully aligned with the organization’s business objectives, and appropriately balanced with the enterprise’s protection requirements.
Maximize the Value Recovery with End-to-End Solutions Integrated security planning also must deliver solutions that are strongly rooted across the enterprise. This approach helps ensure that as new security capabilities are introduced in the future, they add incremental value to the business, help accelerate the return of prior investments in point technologies, and enhance the value of the enterprise’s end-to-end security platform.
When these strategic issues are appropriately resolved, enterprises capitalize on the benefits promised by the technology investments implemented to date and also harvest the benefits delivered by a fully integrated approach to capturing the value of security.
Until these issues are comprehensively resolved, however, executives and enterprises will continue to bear the high costs of ownership and the immature returns of an incomplete investment in security.
KEY STRATEGIES FOR AN INTEGRATED APPROACH TO SECURITY
Establishing a clear vision of what a comprehensive security program must achieve is essential. Given the complexity of the challenge, however, several strategies are crucial to translating these objectives into pragmatic working solutions.
Balance the Tradeoffs between Protection and Enablement There is a natural tension between an enterprise’s need to protect its information assets while simultaneously enabling appropriate access to them. For example, unnecessarily aggressive authentication mechanisms in an IdM solution can cause serious and costly login delays across the network, or worse, failure to win a major new customer account because top account sales executives could not access their own data from off-site in a timely manner. In other words, the level of protection or enablement associated with any given information asset—whether it be an e-mail server, database, or log activity report—must be appropriate to the value of the asset and the asset’s role in supporting business objectives, and provide balance between the competing needs of protection and enablement.
Manage Security Information on a Centralized Basis Because individual point products each satisfy different security requirements, the ability to manage security data on a centralized basis is an essential attribute of any integrated security solution. With respect to enablement, for example, using a federated or centralized approach to IdM delivers a single, reliable source of user information, improves compliance with organizational policies, ensures proper privileges and access, and enhances relationships with customers. With respect to protection, a central data repository not only aggregates important information, it also allows the introduction of capabilities essential to comprehensively managing the threat environment: correlation of data from different sources, information that facilitates both prevention and response, metrics and reporting, forensics capabilities, and minimization of false positives and negatives.
Leverage the Best Technology Because technology resides at the core of an integrated solution, choosing the appropriate, high-quality technical components is important. As the technical integration challenges can be extensive and sophisticated at the enterprise level, the technology component should be developed by a vendor that has strong technical capabilities, proven products, a wide range of complementary modules, deep technical knowledge and a track record in the industry. Furthermore, this vendor should have the financial viability and market position required to support technology products over time and participate in future integration efforts.
Combine Organization, Process, and Technology Security should never be approached merely with a technology-only solution. Without the rules, responsibilities, and procedures prescribed by process, and in the absence of the people that are required to manage and oversee these processes, technology alone cannot deliver the benefits that security is intended to provide. Many vendors of specific point products make an effort to integrate their products with the rest of a customer’s security architecture. Anytime that an integration effort is purely technically driven, however, the critical alignment with business objectives is damaged and the full value of the security investment is strategically compromised. These are the supporting capabilities that propel the success of any security solution:
• Organization component—Focuses on the identification of clear accountability and supporting governance structure, as well as the training, education, management, and assignment of roles, responsibilities, and duties to the people— whether employees or consultants—who deploy, operate, administer, and maintain the enterprise’s solution on an ongoing basis.
• Process component—Integrates the technology into new and existing business processes to efficiently and effectively operate the solution. Process can be defined as a set of prescribed activities with explicit control points executed in defined sequences. Process is a critical component because it enables scalability, clear accountability, measurability, sustainability, and enterprisewide consistency in execution, and provides a basis for continuous improvement and leveraging skills.
• Technology component—Provides the security products and software modules, as well as the hardware or physical technologies that reside at the core of the overall solution.
Transforming fundamental security objectives and strategies into a pragmatic security solution requires an integrated working framework. This framework should provide a disciplined approach to understanding and planning a security implementation through a continuous cycle of the most crucial security activities.
As important as it is for enterprises to take a comprehensive, integrated approach to security planning, executives have difficulty assembling—on an ad hoc basis and in the right sequence of steps—the appropriate resources necessary to develop an integrated security strategy. These resources often are scattered across the enterprise and dedicated to other operating functions. Externally developed solution frameworks exist and are available, but very few, if any, comprehensively handle all of the planning elements described in the previous chapter. Moreover, very few planning frameworks articulate the steps and stages necessary to adapt security to the unique variables associated with each enterprise, including its operating environment, security resources, and strategic objectives.
To address this fundamental gap between enterprise demand for a comprehensive integrated approach to security and a working framework capable of delivering pragmatic planning results, PricewaterhouseCoopers has developed an organized framework that explains how security activities contribute value to an organization’s mission
■ The ESBM Defined The Enterprise Security Business Model (ESBM) is the first integrated and organized framework that articulates how the value of information security is identified, created, captured, and sustained in an organization. The model describes the value of security in terms of security’s ability to protect from harm, as well as enable appropriate access to, an enterprise’s critical business and information assets—in alignment with the enterprise’s security resources and strategic business objectives. With a sustained focus on the concepts of security as protection and security as enablement, PricewaterhouseCoopers relies on this industry-neutral model as a disciplined process-specific approach to helping organizations build a scalable, sustainable, comprehensive, and integrated security architecture.
■ Security Strategy and Planning Graphically, the ESBM model has been constructed to represent a sequential flow, from left to right, of the most important security-related tasks. (See Figure3.) Note that business objectives are identified at the left as the element that initiates the cycle of value. Also reflected in the model are the resources necessary to conduct these activities, represented as the three supporting capabilities—technology infrastructure, enterprise processes, and organizational resources. Each of these is described in more detail in the sections that follow.
The central backbone of the model’s architecture is formed by an organization’s business objectives. Business objectives are the single most important drivers behind security and therefore determine the unique combination of enabling and protecting capabilities. Business objectives fall into one of the following four categories:
• Regulatory compliance objectives—May involve government or industry regulations, legal requirements for cross-border operations, or corporate obligations mandated by new laws such as the Sarbanes-Oxley Act of 2002.
• Corporate strategy objectives—Can include reducing risk exposure, lowering costs, differentiating products, managing IT usage and dependency, and enabling new business opportunities.
• Corporate governance objectives—Focus on oversight and enforcement, or the dissemination of internal governance mandates. • Third-party collaboration objectives—Enhance relationships among any or all of the following: suppliers and vendors, buyers or customers, competitors, markets, or entities in joint ventures.
SUPPORTING CAPABILITIES An organization’s most important resources in planning, implementing, and sustaining an integrated security solution are organizational resources, business processes, and technology. These three resource elements are represented in the model as supporting capabilities that sustain the model architecture and cut across all primary activities:
• Organization—Comprises the enterprise workforce, and includes skill sets, roles, and responsibilities.
• Enterprise processes—Comprise the set of rationalized rules and procedures that serve the enterprise’s business needs and dictate parameters for the operating environment.
• Technology infrastructure—Comprises the physical components that operate and support the business.
INTEGRATION TOUCH POINTS
Linking the model’s four primary activities are key points of integration that ensure value transfer across the model. These are described as “integration touch points” and are represented in the model as smaller, integrated gears within the larger mechanism. Three of these integration touch points are visible in the graphic. The fourth point is invisible, but represents the crucial link to ensure the return of information generated in the Respond stage back to the Envision stage.
PRIMARY SECURITY ACTIVITIES
The ESBM graphically presents the activities that every organization must undertake in order to identify, create, capture, and sustain the value of security throughout the enterprise. These activities are grouped together in four stages: Envision, Engineer, Operate, and Respond.
The Envision Stage The first stage in the ESBM, the Envision stage includes the activities necessary to articulate the organization’s vision of security and define a security strategy that best supports the achievement of business objectives. This stage focuses on identifying the value of security required by the enterprise. The Envision stage is important because it compels senior management and IT planners to establish any security initiatives within an understanding of the enterprise’s comprehensive operating environment.
These tasks balance the organization’s requirements in enablement and protection, and ensure that the targeted strategy considers the requirements that will be placed on supporting capabilities in organizational resources, business processes, and technology.
Activities within this stage include aligning security initiatives with their associated costs, justifying the cost in terms of the business, increasing the efficiency of existing services, and mitigating business risk. The security strategy is designed to set the direction of the organization and focus security resources on the areas of greatest business need.
Risk-based decision analysis. When organizations create their security investment strategy they face a number of issues, including: • Security investments are justified against hypothetical losses.
• Security benefits are difficult to quantify.
• Limited capital could be allocated against a wide variety of risks and possible solutions.
• Communicating risks and benefits of specific security investments to nontechnical stakeholders could be difficult.
To overcome these obstacles, companies must develop a risk-based decision analysis that enables them to allocate security resources and prioritize security projects. Such an analysis considers the risk decision, uncertainties that make the decision difficult, and preferences that value the outcomes. In doing so, the organization creates a common language and structure that can be used and understood by both technical and nontechnical stakeholders to reach consensus in security investment decision-making.
A crucial component of the risk-based decision analysis is an organization’s risk and value map. The map illustrates the current annualized cost of a security event and the projected costs of the same event after the security investment. For example, the costs might take into account such costs as the number of customers who switch to another supplier due to an event, the value of each lost customer, the additional advertising required to counteract the effects of the event, and the cost to reimburse customers for disrupted service, and so on.
The Engineer Stage The Engineer stage includes the set of tasks that design and configure the technologies, business process controls, and organizational components necessary to achieve the value targeted in the Envision process. This stage focuses on creating the value of security required by the enterprise through achieving the right balance between enablement and protection.
Activities in the Engineer stage include: designing a secure and resilient infrastructure to enable authorized users to have access to information assets and protect against unauthorized access; securing information assets with options and controls associated with the security solution’s hardware and software components; engineering the controls necessary to ensure that business processes are performed in a reliable and repeatable manner; and deploying the processes and technologies that provide access to the appropriate set of information assets and accompanying entitlements to users based upon their business roles.
The Operate Stage The Operate stage includes the set of tasks that collectively manage and maintain the controls designed in the Engineer process. This stage focuses on capturing the value of security required by the enterprise. The Operate activity involves continuous management of the security and controls built across the infrastructure of enterprise processes and technologies.
Activities in the Operate stage include: managing the security-related people, processes, and technologies put in place during the Engineer stage; generating reports to security decision-makers; detecting, identifying, and isolating threats to operations and assets; identifying and isolating vulnerabilities in assets before they are exploited by attack; and continuously reviewing and assessing the security infrastructure to improve the effectiveness and efficiency of the organization’s security capability.
The Respond Stage The Respond stage includes the set of tasks that address incident recovery, stabilization, the resumption of normal business operations, forensic analysis procedures, and the regular communication of information back to planners cyclically engaged in the Envision process. This stage focuses on sustaining the value of the security required by the enterprise.
Activities in the Respond stage include: stabilizing operations during and after an incident; ensuring that the incident causes minimal damage or exposure of information assets; verifying that the inherent vulnerability from which the incident stemmed has been fixed so it will not recur; investigating the incident to determine what happened, how the incident occurred, and what information assets were affected and the extent to which they may have been compromised; and ensuring a rapid return to normal operations, bringing all operational processes back to the status they were in before the incident occurred.
■ The ESBM as a Dynamic Process Understanding how these primary security activities relate to one another is essential. Addressing only one or two of these stages without bringing the same discipline and diligence to the others compromises the enterprise’s ability to accumulate and harvest the full value potential in security.
A company, for example, might excel in the design of an effective security solution (which demonstrates proficiency in the Engineer stage), but neglect to manage the solution efficiently on a day-to-day basis (which demonstrates weakness in the Operate stage). This situation describes a weakness in the security value chain that will probably result in a greater likelihood of encountering security-related incidents that are more frequent, more harmful, and more costly (an unintended impact that affects the Respond stage). Consider a further extension of this example. Security incidents encountered in the Respond stage will be enormously more disruptive and harmful if the company has not appropriately established the alignment of security with its business objectives (an integral component in the Envision stage). Such a scenario could result if the well-designed solution developed in the Engineer stage was configured to protect an information asset with little or no value, at the expense of a strategic asset with a primary role in increasing revenues.
To be successful in adding value through security, a company must consistently Envision components of the Engineer, Operate, and Respond stages; Engineer components of the Operate and Respond stages; Operate security on a continuous basis and Respond to incidents. After responding to incidents, a return to Envision, Engineer, and Operate is in order.
■ How Organizations Approach the ESBM How individual organizations internalize the benefits delivered by the ESBM framework in specific practical terms depends on a wide range of organizational circumstances— circumstances that extend well beyond clearly relevant factors such as the organization’s size, its short-term and long-term business objectives, its IT security budget, and standard security-related practices within its industry. Also important are many other factors, such as the following:
• The urgency behind the current need for security
• The organization’s present security posture (reactive or proactive)
• The capability of the organization to adapt to change
• The locus of security ownership (board, corporate, IT department) • The balance of roles among internal security constituents (the internal buyers of security)
These primary factors, in varying combinations, determine how an organization elects to approach the ESBM. Each of these approaches are each briefly discussed in the following sections.
THE ESBM AS AN INTEGRATED SOLUTION
Some organizations benefit from the ESBM indirectly—because the model is already integrated in their solutions. These organizations have an acute need to remediate the effects of an adverse security-related event in the shortest amount of time. This occurs, for example, when an organization is suffering significant operational dislocation as the immediate result of an intrusion incident. In such cases, the organization requires an immediate resolution. While it may not be directly engaging the mechanics of the ESBM, the organization is still internalizing the benefits of the model because all PricewaterhouseCoopers solutions are aligned to specifically support the activities articulated in the ESBM.
THE ESBM AS A STRATEGIC PLANNING WINDOW
A top-down planning approach opens a strategic window on the enterprise’s comprehensive security posture. This opportunity allows organizations to establish a broad base of understanding about the scope, depth, and promise of the current security platform, including fundamental planning elements such as its current architecture, its intended configuration, and the likely results of anticipated investment in any targeted security initiative.
THE ESBM AS A COMPREHENSIVE STAGING PLATFORM
Most enterprises stage the implementation of prioritized security initiatives according to their operational needs, financial capabilities, and the organization’s ability to adapt to change. Given the practical benefits of a staged approach, it is all the more critical that components of the security strategy are launched in the context of a comprehensive master plan.
THE ESBM AS A FRAMEWORK TO ACCELERATE STRATEGIC ALIGNMENT
An integrated approach to security delivers compounded benefits. When implemented according to a comprehensive planning platform, new capabilities can provide the enterprise with incremental value intrinsic to the specific solution; accelerate the maturity schedule for value locked in earlier technology-based investments; and enhance the value of the end-to-end security platform as, initiative by initiative, it eventually supports the achievement of business objectives.
THE ESBM AS A CONSENSUS-BUILDING APPROACH
Any organization has different buyers of security, or different security benefit constituencies. For example, a chief executive officer (CEO) may be more interested in implementing an Internet-based customer self-service system to build customer satisfaction and decrease customer service costs. On the other hand, the chief information officer (CIO) in the same company is concerned more about ensuring the stability, integrity, and privacy of the information assets that will be placed at some risk by the new system. An integrated planning framework provides a process that encourages the participation of all relevant personnel. This framework also extends the platform required to build a common vision of security; understand and balance competing security requirements rom different internal buying centers; and prioritize the investment based on the expected effects on the enterprise’s performance objectives, rather than the objectives specific to a particular department or internal security constituent.
THE ESBM AS A COMMON GLOBAL LANGUAGE
For diversified organizations with operations that span international boundaries, different industries, or multiple lines of business, a comprehensive and integrated approach to security establishes a standardized and synchronized approach to security globally. The integrated approach can provide a common language and diagnostic road map that can enhance communication, lower costs, and improve security’s return on investment across multiple geographic areas of operation
Information security has long centered around the concept of exclusion, the primary goal of which is to prevent unauthorized access to the internal resources of an IT environment. Organizations implemented this so-called security of exclusion by setting up security perimeters between enterprise networks and the outer world. These virtual boundaries isolated internal networks— keeping out unwanted visitors, defending against viruses and malicious code, and protecting against external attack.
This approach to information security has been practiced since the 1970s when mainframe-based applications were the dominant systems in use by organizations. As companies migrated their systems to client/server-based applications in the 1980s and early 1990s, they continued to strictly separate internal and external environments. This approach usually included the following:
• Granting access to systems and applications through the use of username and password combinations.
• Limiting, controlling, and monitoring the electronic gateways that face the outside world.
• Allowing electronic communication with outside partners only through previously arranged and approved applications.
During the late 1990s and early 2000s, businesses began deploying Internet-based applications, in which customers, employees, and business partners could access enterprise applications from inside their Web browsers.
Companies began to implement Internet-based environments such as user portals, supplier portals, intranets, and extranets in order to reduce costs, improve collaboration, and increase productivity. This transition to an extended enterprise created the need for a fundamental shift in the approach to information security, one that addressed the following security requirements:
• Technology resources are connected and available to the right people.
• Checks and balances are in place to ensure appropriate access and approvals.
• Perimeter protection and monitoring are assured.
• The supporting systems environment is reliable and resilient. • The confidentiality, integrity, and availability of information assets are ensured.
This new approach to information security is based on the concept of inclusion, in which widely distributed data and users are able to communicate with systems located inside the traditional perimeter of the organization.
In this model, perimeter security remains a crucial element, but organizations also need the ability to grant controlled external access to internal applications by following well-defined rule sets. The key to doing this is to efficiently manage each entity’s identity across an enterprise. For a comparison of the security of inclusion and the security of exclusion.
Security controls and identity management (SCIM) solutions are the technologies and processes that enable companies to achieve the balance between the security of inclusion and the security of exclusion. This balance allows organizations to protect their infrastructure from malicious users and attackers while also facilitating closer and more profitable working relationships with suppliers, customers, and business partners. SCIM has three primary components
• Business process controls—The policies and procedures that help ensure that necessary actions are taken to manage risks, so that an organization can achieve its objectives.
• Identity management—The processes and supporting technologies that enable authorized users to efficiently interact and process information specific to their organizational role.
• Technology infrastructure security—The processes and supporting technologies for ensuring the integrity and reliability of an organization’s information processing environment.
■ Business Process Controls
Business process controls, sometimes referred to as security controls, are a fundamental component of an organization’s security framework. They enable organizations to meet their objectives by establishing policies and procedures that help ensure that the necessary actions are taken to manage risks. Controls should be present at all levels in an organization and should be included in functions such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
A control can be as simple as manually running a report and reviewing the output for unusual items, or it can be as complex as an automated security control that prevents a user from viewing or changing a field on a specific screen. Controls can also be either process driven or technology driven—or both. For example, an automated tool, such as a firewall or intrusion detection system, can warn system administrators of various events that need to be addressed, or system access can be manually reviewed periodically to ensure that previously granted access is still appropriate.
In implementing business process controls, companies must address four areas: risk, control objectives, control techniques, and the security and control framework.
Core business objectives seek to manage rudimentary risks, while compliance objectives are focused on external laws and regulations like the United States’ SarbanesOxley Act of 2002. Once the control objectives are identified, companies use control techniques that include avoidance, control, acceptance, and transfer of risk. These control techniques follow a preventive or detective approach. This matrix of control objectives, control risks, and control techniques forms a controls framework that organizations can use to maintain their internal control structure. This framework defines the enabling processes that ensure security, technology, and process controls are aligned to business objectives.
CATEGORIES OF CONTROLS
Controls are designed in response to a type or level of risk and can be categorized as monitoring controls, application controls, and general computer controls. Controls in these categories can be implemented throughout an organization and can be used in security, identity management, and financial and operational processes.
Most controls are designed to meet the objectives of completeness, accuracy, validity, or restricted access. Completeness means that all transactions that are entered are complete and contain the required information to be accepted for processing. Controls designed to meet the objective of accuracy help ensure that key data elements are recorded and input to the system accurately through data-entry design features. The control objective of validity is to make sure that transactions are authorized, that transactions are not fictitious as they relate to the company, and that changes to standing data are authorized and reviewed. Finally, restricted access means the controls protect against unauthorized amendments of data, ensure confidentiality of data, and protect physical assets, such as cash and inventory, from theft or misuse.
Monitoring controls, also called management controls, assure management that business processes or other controls relevant to business risks are operating as expected. These controls consist of ongoing or periodic evaluations performed by management, or on behalf of management, to compare information generated inside the business to key benchmarks or key performance indicators (external and internal). For example, management may monitor the number of products being returned or the number of credit memos being issued and then try to identify an underlying cause. For security purposes, management may monitor the number of failed login attempts to ensure that someone is not attempting unauthorized access to the system or data. These controls lead to corrective action, if necessary.
Individual control activities, also called application controls in the audit field, operate at a detailed business-process or transaction level and are designed to ensure the integrity of accounting records. These controls provide assurance that the information within a business process is complete, accurate, valid and authorized, and protected from unauthorized access.
Control activities can be manual, such as requiring a written signature on all purchase orders exceeding $500, or the controls can be configured within an application. An example of an automated or configurable control is workflow. Within an automated workflow, the system could be configured to determine automatically whether a purchase order requires additional approval on the basis of a dollar value; to determine whether the user(s) has authority to approve the purchase order; and to authenticate an electronic approval. Automated controls are preferred, because they remove much of the human element from the security equation and reduce the occurrence of errors.
Validity and restricted access are two important control objectives within a business process. Transactions should be authorized and should not be fictitious as they relate to the company. Changes to standing data should be properly authorized; data should be protected against unauthorized amendment; and information should be held confidential. All these requirements contain an aspect of security, and all can be controlled using identity management.
Using identity management processes and technologies, organizations can define who has access to their systems and applications. Organizations may also define where users are allowed to go; what they are allowed to do; and when access should be provided or revoked—both within the organization and outside it (for example, customers, suppliers, business partners).
General Computer Controls General computer controls, also called IT controls, are used to manage and control information technology activities and the computer environment, such as information security (both physical and logical), computer operations, development and implementation of new systems, and maintenance of existing systems. General computer controls ensure the integrity of the system as a whole, whereas application controls ensure system integrity at the transaction level.
A combination of monitoring, application, and general computer controls is needed to prevent, detect, and correct processing errors—and all can and should be components of identity management and security activities.
SEGREGATION OF DUTIES
Segregation of duties is a basic and essential internal control and one of the most difficult to achieve. It is used to ensure that employees prevent or detect errors or irregularities on a timely basis during the normal course of business. Achieving segregation of duties depends on designing solid business processes and security procedures.
Segregation of duties provides two benefits. First, it makes deliberate fraud more difficult, because the fraud requires collusion by two or more persons. Second, it increases the likelihood of finding innocent errors. At the most basic level, segregation of duties means that no single individual controls two or more phases of a transaction or operation. If one person can carry out and conceal errors or irregularities in the course of performing her or his day-to-day activities, that person has been assigned or allowed access to incompatible duties or responsibilities. Some examples of incompatible duties include the following:
• Authorizing a transaction and then receiving and maintaining custody of the asset resulting from the transaction. • Receiving checks (payment on account) and approving write-offs.
• Depositing cash and reconciling bank statements.
• Approving time cards and having custody of paychecks.
• Having unlimited access to assets, accounting records, and computer terminals and programs; for example, having access to and using checks as source documents to post to accounting records instead of using a check log or receipts.
In enterprise resource planning (ERP) systems, the ability to perform the abovementioned duties, as well as many others, is controlled through an individual’s security profile. Weak security design can result in fraud or theft of confidential data. For example, if a security profile allows a user to create or maintain a vendor, create a purchase order, and pay the invoice for that purchase order, a user can create himself or herself as a vendor and ultimately print a check to that fictitious vendor. Unless other monitoring controls are in place, such as a supervisor reviewing newly created or modified vendors, or reviewing all payments that are created, this type of activity could go undetected.
Organizations examine four general categories of duties or responsibilities—authorization, custody, record-keeping, and reconciliation—when establishing segregation of duties. If possible, different employees will perform each of these four major functions and no one person will have control of two or more of these responsibilities. The assignments should be incorporated into the security design. An organization also should review security when users leave, change roles, or change departments, as well as when new system functionality or user requirements cause changes in access. A wellcontrolled environment can quickly deteriorate if improperly maintained.
If an organization cannot fully segregate duties, then it must establish mitigating or compensating controls to reduce the risk of errors or irregularities. For example, if a record keeper also performs a reconciliation process, a supervisor could perform and document a detailed review of the reconciliation.
Several IT functions should be segregated, such as between systems development and operations, operations and data control, and database administration and system development. Because IT personnel might have access to data outside the application or to the programs that process the data, an opportunity exists for data to be manipulated directly or via the database. Someone also could change the way the data is processed and make no record of the changes. For example, if a user has direct access to the database where payroll data is stored, the user could change a pay rate or delete data without being detected. Organizations must define and know who should and should not have access to data, and they must be able to enforce those rules.
New laws and regulations are imposing corporate governance, financial disclosure, and public accounting requirements, as well as information-security requirements. Often, all enterprises in a particular industry must comply with these regulations, regardless of the size of the enterprise.
In the United States, the Sarbanes-Oxley Act of 2002 is probably the single most important piece of legislation affecting corporate governance, financial disclosure, and the practice of public accounting since the passage of the U.S. securities laws of the early 1930s. However, in addition to Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA) in the health care industry and the Gramm-LeachBliley Act (GLBA) in the financial services industry are creating new challenges for management. For example, to maintain their business relationship, enterprises are increasingly requiring their trading partners to take security measures also, such as using a digital certification provider for secure communications or the Internet Protocol Security (IPSec) for virtual private networks (VPN).
Sarbanes-Oxley, Section 302, will require chief executive officers (CEOs) and chief financial officers (CFOs) to certify that they have disclosed to the audit committee and external auditor any significant deficiencies and material weaknesses in internal controls for financial reporting; and any fraud (material or not) involving anyone who has a significant role in those internal controls, even though such a person or persons may be far removed from day-to-day business transactions. Congress has instituted significant civil and criminal penalties for knowingly certifying to the Securities and Exchange Commission (SEC) a report containing material misstatements or omissions. These regulations are forcing managers to rethink their security and control strategies and to formalize a strong internal controls framework.
Organizations now must ensure that the controls being implemented are operating efficiently, effectively, and as intended, and that they are appropriately updated in an ever-changing environment. Companies are engaging their internal audit departments and external auditors or other audit firms to help them ensure correct implementation and operation of their controls, and to help them perform gap analyses to determine where control weaknesses exist and what must be done to achieve compliance with Sarbanes-Oxley. Some activities include formalizing policies and procedures, documenting processes and significant controls within those processes, and assigning individual accountability.
In addition to Section 302, Sarbanes-Oxley, Section 404, will require that, “on an annual basis to be included with the annual report, management must state their responsibility for establishing and maintaining an adequate internal control structure and procedures over financial reporting and their assessment as of the end of the fiscal year of the effectiveness of such internal control structure and procedures. In addition, the issuer’s external auditor is to attest to and report on management’s assessment.”
Management’s growing dependence on information technology, plus the fact that many business process and security controls (for example, preventing certain users from posting to certain general ledger accounts) can be automated or configured within the applications, is increasing the challenge of establishing and maintaining an adequate internal control structure. Organizations and their auditors now must have an in-depth knowledge of information technology. In addition, IT will need to react to the provisions of Sarbanes-Oxley under Section 302, Certifications, and Section 404, Assertion on Internal Control, and be involved in developing processes and technology usage to support the internal controls framework.
Committee of Sponsoring Organizations Framework
To comply with Sarbanes-Oxley, most companies are using the Committee of Sponsoring Organizations (COSO) framework of the Treadway Commission to implement internal controls throughout the organization. COSO will probably be the basis for determining the effectiveness of internal controls over financial reporting for Section 404 certification. COSO identifies five components of internal control that must be in place and integrated to ensure achievement of the following objectives:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
The five components are the control environment, risk assessment, control activities, information and communication, and monitoring. All five components span operations, financial reporting, and compliance and are heavily integrated with information technology. The ideal control framework will incorporate monitoring controls, application controls, and general computer controls.
These new regulations will require management to be knowledgeable about changing technology and the way information technology controls play a role in the organization’s internal controls framework. The organization’s external auditors also must have that knowledge.
Because regulations are now mandating severe civil and criminal penalties for disclosing misstated information, and because companies are desperately trying to regain public trust, business process and security controls that can detect (and ideally prevent) these breaches are becoming more important. Furthermore, automated controls that can remove the human element from the processes are preferable to help ensure greater security.