California Law WHITE PAPER ISO Assuring Your Information. Sarbanes-Oxley Act. How much should you spend?

Transcription

1 WHITE PAPER California Law ISO Sarbanes-Oxley Act NERC Basel II Assuring Your Information

2 Contents Executive summary: What is INFORM? Benefits of INFORM Information security and information assurance Information assurance and risk management Establishing a dialogue Coordinated action plan Structured evaluation How INFORM works Asset valuation Impact assessment Probability assessment Information assurance risk exposure ISO benchmarking Solution program and scenario creation Conclusion

3 Executive summary: What is INFORM? INFORM is a Web-based application and program that has been designed to help organizations manage their information assurance risk and the costs associated with it. INFORM can be used to evaluate whether or not an investment in a particular information assurance program is justified, by showing the extent to which it will reduce risk exposure compared with its annualized cost. INFORM: Captures and gives a monetary value to risks Benchmarks current information assurance program effectiveness against a global standard to identify program gaps and focus on areas of improvement Creates a prioritized action plan to achieve targeted information assurance improvements and optimize security spending Using INFORM, an organization can benchmark information assurance risk management between its different groups and locations and can analyze trends over time to monitor improvement programs. Finally, the INFORM program offers organizations of a similar type the opportunity to compare their management of information assurance risk to ensure that they are maintaining a competitive position. Benefits of INFORM INFORM will help to identify answers to the information assurance questions that organizations are currently asking: What could I lose if I fail to comply with regulations or legislation? What is the financial impact if my information is seriously compromised? What is the potential impact of a serious incident? What are the potential impacts from threats and vulnerabilities? How well am I currently reducing my risks and potential losses? Which solution would further reduce my risk most effectively? How could I reduce them more effectively? And, for many, the most important question of all: How much would it cost me and what is it worth to fix it? 4

4 Information security and information assurance All enterprises depend on the information they create and use. For many years the conventional wisdom was that this information must be kept secure. The use of this term, while clearly implying the need for protection, fails to convey the importance of making appropriate information available when and where it is needed a function that is particularly vital now that all organizations rely on networked information. In such circumstances it is preferable to use the term assurance, rather than security. Assurance implies that information systems must function not only to protect the information they handle but also as they need to, when they need to, under the control of legitimate users. 1 This paper describes the methodology that has been developed by Symantec to help organizations understand, evaluate, and manage their information assurance risk. The methodology has been incorporated into a Web application and a facilitated program based on it: the INFORM (INFOrmation assurance Risk Model) program. Information assurance and risk management Managing risks to information assurance across an organization is not a trivial task. Considering sources of risk, it is possible to identify two distinct areas of concern: the short-term, tactical and operational, and the longer-term strategic and business. These two areas, and the type of issues that may represent a risk in each, are illustrated in figure 1. As indicated in figure 1, in most large organizations these two types of risk source are dealt with by separate parts of the enterprise. The shorter-term risks, connected with issues arising from access to information networks, tend to be dealt with by information technology departments. The longer-term risks, arising from businessfocused issues, tend to be dealt with in finance or strategic- and risk-planning departments. Risk issues: Staff Access, Customer & Business Partner Access, Access to Internet, Patching, IT Infrastructure Short-term, tactical and operational risks Longer-term, strategic and business risks Risk issues: Corporate Governance, Competitors, Business Development, Infrastructure Changes, Operational Risk, Market Fluctuations IT & Communications Business & Finance Figure 1. Information assurance risks 1 U.K. Government Central Sponsor for Information Assurance. 5

5 However, because information is critical throughout the organization, it is essential that the management of information assurance risk is not compartmentalized between the two silos shown in figure 1. The demands of legislation and regulation, such as the U.S. Sarbanes-Oxley Act of , are increasingly driving businesses to recognize the importance of information flow between the silos. In attempting to accomplish this, they have come to realize that effective information assurance risk management implies the establishment of an ongoing dialogue between the two silos, and the implementation of a coordinated action plan based on that dialogue. Establishing a dialogue Establishing an information assurance dialogue between the IT and business strategy components of an organization requires that a common language is spoken, that risk assessment is treated in a mutually agreed way, and that a clear standard is used to explore the management of risk. Unfortunately, the bits and bytes of IT and the language of accountancy tend to be mutually incomprehensible. Similarly, network risk-assessment tools and operational risk analysis methodologies cannot easily be reconciled. And the existence of a plethora of competing standards makes it difficult to agree on one that is suitable for common use across the enterprise. The INFORM methodology proposes that the dialogue can be simplified if monetary values are used to establish a common understanding of what is at risk. Monetary valuation of information assets has not been common in IT departments. However, driven by the regulatory demands mentioned above, there has been an increasing realization of the need to understand these assets in relation to their value to the business as a whole. Risk assessment methodologies tend either to look at risks at a technical level or to consider wider risks in a high-level way evaluating them on a scale such as high medium low or on a numerical scale (1 to 5, for example). However, all risk assessments rely on two common factors: the evaluation of the impact of a risk and the probability of it occurring. These common factors are used as the basis of the INFORM methodology described in this paper. A number of standards have been developed to assist in the management of IT, such as COBIT (Control Objectives for Information and Related Technology) 3 and ITIL (the IT Infrastructure Library). 4 Corporate governance uses standards such as COSO (the Committee of Sponsoring Organizations of the Treadway Commission). 5 However, only one standard is international and deals with the management of information security ISO 17799, the international standard for information security management systems 6 and is the standard used by the INFORM methodology. 2 See 3 See Information Systems Audit & Control Association: 4 See U.K. Office of Government Commerce: 5 See 6 See 6

6 Coordinated action plan When developing a coordinated action plan, organizations wish to gain an indication of what they might do cost-effectively to improve their overall management of information assurance risk. Evaluating the cost-effectiveness of investment in information assurance is a difficult task. Classic return-on-investment shows a direct linkage between cash spent and savings made, for example, in the reduction of staff costs. However, it is hard to prove that money spent on information assurance will lead to reduced expenditure on resources. Indeed, this may not be a desirable outcome, if the reduction results in greater risk. Instead, it should be possible to demonstrate a linkage between the expenditure of resources and a reduction in risk exposure. Challenges arise in measuring risk exposure and the potential of any action to reduce it. The INFORM methodology therefore uses the ISO standard as a benchmark against which an organization s management of its information assurance risk can be estimated. By linking an action plan to its ability to improve the implementation of ISO 17799, INFORM is able to show the potential of such a plan to increase total information assurance program effectiveness and thereby reduce the organization s information assurance risk. Structured evaluation Experience shows that organizations benefit greatly from being given the opportunity to discuss information assurance in a structured way, within a clearly repeatable framework. Such discussions have been found to be especially beneficial if representatives from both the IT and business risk silos are present, particularly if those representatives are able to discuss strategic issues. INFORM functions in such a way that it enables participants in the program to engage in facilitated discussions about risk-related strategic issues. The discussion is based around qualitative evaluations of impacts, threats, and vulnerabilities, using intelligent defaults as a starting point. The discussion lends itself to the generation of directional indicators that can be tailored to the experience of the individual organization or a part of an organization. Experience also suggests that organizations welcome the opportunity to benchmark themselves. Such benchmarking may be undertaken against the international standard at different times or using different scenarios, between different business groups or locations in the same organization, or between different organizations of the same type, or within the same market sector. The essential feature of the INFORM program is that it allows such benchmarking and comparison to take place in a structured and repeatable way. 7

7 How INFORM works The previous discussion establishes that INFORM is a means by which an organization can explore the effectiveness in reducing business risk exposure of its current and planned information assurance management programs. In order to do this, INFORM has five modules that provide an organization with the following: 1. Assessment of its assets-at-risk, and valuation of these in monetary terms 2. Assessment of the potential impact of information assurance on its assets-at-risk, and the annual probability of that impact 3. Measurement of its current information assurance effectiveness benchmarked against ISO 17799, and assessment of its desired target effectiveness 4. Assessment of an organization s current implementation of generic information assurance solutions, and selection of a program to improve these in order to approach its desired target for information assurance effectiveness 5. Ability to build comparative scenarios showing the effect on cost and risk reduction using different assessments of assets-at-risk, selecting different ISO control targets, or varying the selected solution programs; and display of these in executive summary and full report formats The high-level process flow between these five modules is illustrated in figure 2. 8

8 1. Asset Valuation 2. Risk Exposure 3. ISO Benchmarking 4. Solution Program Impact Assessment Probability Assessment Current Controls Assessment Current Implementation Organization Type Asset Valuation Brand Value Impact Information Impact Threat Sources Business Vulnerabilities Target Effectiveness Action Plan IT Asset Capture IT Impact 5. Scenario Creation Probability of Occurence IA Risk Exposure Figure 2. Process flow in INFORM modules INFORM is designed to function at a high level, allowing an organization to rapidly produce a benchmarking result and a preliminary scenario, which will indicate the degree of risk reduction that could be achieved for a chosen investment in a generic information assurance program. This may be used as the foundation of a business case or it may be taken as the basis for a more extensive investigation using INFORM. INFORM allows for either high-level or detailed usage within its five modules, each of which is examined in more detail in the following sections. Asset valuation The concept of intelligent defaults is used in operating this module, as it is in every INFORM module. Experience has shown that it is easier to make a decision about the appropriate dimension for a value, such as the worth of an asset, if a figure has been suggested by the application itself. Intelligent defaults either are driven by values previously entered in the application or are derived from Symantec or third-party research. All defaults can be overridden by values that are specific to the organization. 9

9 INFORM offers organizations many ways to value their assets. Broadly, these depend on the type of organization: publicly traded, privately owned, or not-for-profit. INFORM asks an organization to assess the value, in monetary terms, of its assets that may be at risk from information assurance failures or deficiencies. The definition of assets will depend not only on the type of organization as a whole, but also on the part of the organization under consideration. For example, an organization may wish to look at a group or department that is a cost center, rather than a revenue-generating center. An essential factor when valuing assets is to consider the organization s overall appetite for risk. Thus an organization with a low appetite for risk (for example, a financial institution) will manage a greater percentage of its risk than an organization with a high appetite (for example, a start-up company). INFORM allows an organization to take its risk appetite into consideration, and thus condition the default target for the effectiveness of its information assurance controls. INFORM also considers the potential impact on an organization of the remediation time needed to correct loss of availability of its IT infrastructure. It therefore asks an organization to assess, at a high level, the IT assets that might be at risk. It also takes into consideration such risk factors as the number of home and remote users and the number of countries within which an organization operates. Impact assessment As indicated in figure 2, INFORM considers the potential information assurance impact on an organization by looking at three factors: 1. Loss of brand value through legal or regulatory breaches 2. Loss of confidentiality, integrity, and availability of information 3. Impact of non-availability of IT infrastructure, in terms of remediation time Legal and regulatory Research has shown that organizations that have publicized breaches of legislation or regulation will lose, on average, 2.1% of their market value within two days of the event. 7 INFORM allows organizations to estimate their exposure to such risk by using slider bars to evaluate the relative 7 The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers. The University of Texas at Dallas School of Management. February

10 importance they attach to six types of legal and regulatory instrument. These are grouped as follows on the basis of shared functionality: 1. Data protection 2. Corporate governance 3. National security 4. Civil and criminal legal framework 5. Intellectual property protection 6. Sector-specific provisions Figure 3 illustrates the slider bars for this part of the INFORM tool. It also shows the red arrows that are used to indicate the default positions for the slider bars. Such slider bars and default positions are used throughout the INFORM process. In this instance, the defaults are conditioned by the type of organization under consideration thus a publicly quoted company will have a high default for corporate governance and a low default for national security, while the situation will be reversed for a government department. Figure 3. INFORM slider bars and defaults 11

11 Information loss Failures or deficiencies in information assurance can result in the loss of confidentiality, integrity, or availability of information. For each of these three categories, INFORM asks organizations to assess, using slider bars, the relative importance of the following nine types of information: 1. Identity credentials 2. Consumer financial records 3. Business-to-business financial records 4. Patient health records 5. Personal information 6. Insider compliance/regulatory filing 7. Critical operational processes and production control 8. National infrastructure protection 9. Intellectual property Each category gives an estimate of the value of loss in monetary terms conditioned by the relative importance attached to each of the nine types of information. However, experience shows that most organizations assess the loss of information availability as more significant that that of integrity and availability, and this is reflected in the default impact value for this category. For each category, it is also possible to drill into particular sources of loss, by means of a spreadsheet that can be completed with more detailed information. IT impact INFORM asks organizations to use slider bars to assess the potential impact of major and minor incidences of information assurance failure or deficiency in its IT infrastructure. For each type of incident, the number of clients, servers, and other devices is estimated, as is the time taken to remedy the failure or deficiency. Again, INFORM offers organizations the opportunity to drill into a detailed spreadsheet to produce a more accurate estimate of potential impact from this source. 12

12 Probability assessment The second element of risk assessment is the estimation of the probability that an impact will occur. INFORM uses the concept of annual frequency and estimates this by looking at the threats to an organization and at its vulnerabilities. Threats INFORM looks at nine high-level sources of threat. Again, slider bars are used to allow the organization to estimate the relative importance it attaches to these; indicating an overall rating for the threat in relation to a nominal average. The following nine categories of threat source are considered: 1. Organized crime 2. State-sponsored threats 3. Competitors 4. Business partners 5. Disgruntled customers and other outsiders 6. Disgruntled employees and other insiders 7. Social activists 8. Untargeted attacks 9. Errors and omissions It will be evident that certain of these categories are more significant to some types of organizations. Thus state-sponsored threats will be of importance only to certain parts of national governments and perhaps to some very large global companies. Other threats may be of greater significance at certain times in an organization s development; thus competitors could be more of a threat during a hostile takeover attempt, and disgruntled employees could be more of a threat during a time when the organization is undergoing restructuring or a merger. 13

13 Vulnerabilities INFORM encourages an organization to consider 29 vulnerabilities, divided between four general categories, as follows: 1. Organizational 4 vulnerabilities relating to support for, and understanding of, information assurance 2. Location/process 7 vulnerabilities relating to geographical concerns, business processes, and remote users 3. Internet 9 vulnerabilities relating to use of the Internet for e-commerce and by employees 4. IT 9 vulnerabilities relating to IT infrastructure, including software, staff, and outsourcing The relative importance that the organization attaches to individual vulnerabilities within a category will produce a rating for that category in relation to a nominal average. The overall vulnerability rating is derived from the total of the ratings in all four categories. As with threats, vulnerabilities depend on the type of organization and its stage of development. Thus organizations that are heavily committed to electronic commerce will have significantly greater vulnerabilities in the Internet category than an organization that only uses the Internet for . The INFORM process can therefore usefully be deployed by a company that is considering expanding its e-commerce activities as a way to examine the effect that such a change might have on its overall management of information assurance. Information assurance risk exposure Symantec research has estimated possible worst case annual frequencies for the four types of information assurance impact as follows: 1. Major loss of brand value, once every two years 2. Major loss of information confidentiality, integrity, and availability, once every year 3. Major IT impact, twice a year 4. Minor IT impact, 20 times a year 14

14 Experience with numerous organizations suggests that these figures are not unreasonable. However, they will be refined as more organizations contribute information to the INFORM program. INFORM uses the threat rating and the overall vulnerability rating to create a frequency multiplier, which is used to modify the annual frequencies indicated above. Thus an organization may, as a result of its own assessment of its threats and vulnerabilities, have an annual frequency that is either greater or smaller than those shown. As with all INFORM figures, the organization is offered an opportunity to either accept or modify the calculated annual frequency. To complete the risk assessment, figures for potential annual monetary information assurance risk are produced by multiplying the four types of impact by their annual frequency. Figure 4 shows an example of a completed INFORM risk exposure. Figure 4. Completed risk exposure 15

15 Experience with organizations has indicated that they welcome the opportunity to modify the calculation of their risk exposure in line with the degree of uncertainty they feel over the accuracy of their estimates. INFORM takes this into account by allowing an organization to express a percentage uncertainty in their calculations of risk exposure. The percentage can be adjusted between 0% and 50%, and scenarios can be created to show Risk exposure valuation in INFORM when the chosen percentage is ignored (Medium), added (High), or subtracted (Low). ISO benchmarking INFORM then asks organizations to estimate their effectiveness in the management of information assurance by allowing them to compare themselves against the code of practice contained in the international standard for Information Security Management Systems (ISO/IEC 17799:2005). This standard is structured into 11 major control areas, with 39 control objectives and 130 individual controls. INFORM allows an organization to consider its information assurance at any, or all, of these three levels of granularity. The 11 control areas are: 1. Security policy 2. Organization of information security 3. Asset management 4. Human resources security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Information systems acquisition, development and maintenance 9. Information security incident management 10.Business continuity management 11.Compliance 16

16 Unlike many ISO gap analyses, INFORM relates the good practice contained in this ISO standard to the business needs of organizations. Thus INFORM uses slider bars to assess these factors: the relative importance that the organization, as a business, attaches to a control; its current effectiveness in implementing the control; and its target effectiveness, based on its risk tolerance (assessed at the Asset Valuation stage). INFORM then calculates a control gap based on this formula: (Target effectiveness Current effectiveness) x Control importance. In assessing the current state of its controls, the organization is offered a simple good practice statement that is derived from the ISO standard. For example, the following is the statement for the security policy control area: We have a clear, written security policy that supports our business objectives and legal and regulatory obligations Our policy has full management support Everyone has seen and understood our security policy The policy is reviewed regularly Using these statements, experience has shown that organizations find it reasonably easy to estimate their current compliance. Experience has also shown that most organizations experience one or more areas where the control gaps are significantly greater rising above the noise. INFORM displays the control gaps as a bar chart (see figure 5), which makes poorly performing areas easier to see. Policy Organization Assets Human resources Physical Operations Access Development Incident Continuity Compliance Figure 5. Relative Gap Scores by Control Area 17

17 Solution program and scenario creation INFORM next looks at the way an organization can improve the effectiveness of its information assurance risk management. This is done by first considering how the organization is currently implementing 15 generic information assurance programs. Next, one or more of these programs is selected for improvement, and a costed action plan is produced. This will finally enable an organization to construct scenarios that can be used for business planning purposes. Current implementation The generic information assurance programs considered by INFORM are as follows: 1. Network segmentation, availability, and perimeter defense 2. Protocol and host security 3. Secure build deployment and patch management 4. Configuration management and change control 5. Security policy, documentation, and compliance 6. Secure application design, development, and testing 7. Authentication and access control 8. Data storage and protection 9. Security strategy and risk management 10.Incident readiness and response 11.Training and awareness 12.Assessment and auditing 13.Physical security 14.Security in organizational structure and personnel 15.Asset inventory classification and management 18

18 Organizations are asked to use slider bars to estimate their current effectiveness in implementing each of these programs. To assist in this task, INFORM offers advice about the content of each program and also the sub-solutions that form part of the overall program for a solution. For example, best practice in network segmentation, availability, and perimeter defense is described in the following way: By establishing a sound network design that is understood and followed, an organization can easily identify areas of risk and design methods of threat mitigation. Effective Infrastructure security provides significant improvements in the areas of network defense, incident response, fault analysis, threat containment, and overall availability. The sub-solutions for network segmentation, availability, and perimeter defense are shown as: Firewalls, VPN servers, Proxy servers, Security gateways, Routers, Remote access gateways, Secure modems, Policy enforcement access control, Spam throttle devices, Integrated network security appliances, DMZ and network integration, Partitioning and zoning, Segmentation, Availability, Managed Switches, Redundancy (Hardware, software, facilities), Firewalls, Antispam, and VPN Concentrator. Action plan Once the survey of their current information assurance solution effectiveness is complete, organizations are invited to develop a targeted action plan to make improvements. INFORM links generic solutions to the ISO controls in a many-to-many relationship. Using these linkages, the solutions are offered as a list prioritized according to their effectiveness in reducing ISO control gaps. From this list, the organization can select one or more programs to include in their improvement action plan. Once organizations have selected solution programs, INFORM asks them to consider the cost of implementing them. Default costs for contractors, internal staff, and technology are shown, based on the size of the organization s IT infrastructure. Full lifecycle costs are also taken into consideration, including maintenance and license renewals. Annual costs are shown, by default amortized over three years. In building an initial scenario, costs can be roughly estimated. However, INFORM also offers the opportunity to use detailed worksheets to calculate more accurate costs. INFORM asks organizations to estimate the anticipated degree of successful implementation of the solution, following completion of the action plan. 19

19 INFORM enables an organization to see how its targeted and costed action plan reduces some or all of the gaps identified in their management of the ISO controls. Figure 6 shows how the implementation of the solution program, Asset Inventory Classification and Management, and Training and Awareness, could potentially contribute to closing the ISO control gaps for a sample organization. As shown, the solution chosen, while addressing a number of the gaps, has only a small effect on the largest gap (Information security incident management); in this case, therefore, the organization may wish to consider other solutions. 4.0% Estimate of Improved Security Program Effectiveness 3.0% 2.0% 1.0% 0.0% Policy Assets Physical Access Incident Compliance Organization Human resources Operations Development Continuity Action Plan Total Opportunity Figure 6. Solution ability to close control gaps Scenario creation and reporting When undertaking an assessment, INFORM creates an account that is unique to the organization. Within this account any number of individual scenarios can be created. These could be used to compare different parts of the organization, different levels of certainty in the assessment of risk exposure, or different solution action plans. Having created a scenario, reports can be produced at either an executive summary level or at a detailed level, showing all the data entered and results calculated. Examples of the charts that are displayed in the executive reports are shown in figure 7. The INFORM program will also allow the preparation of reports that compare scenarios. This feature can be used to compare different parts or groups of an organization, or different locations. Such comparisons will allow an organization to implement a consistent and structured improvement program throughout. 20

20 Furthermore, if INFORM is used to make regular assessments, it can be used as a tool to monitor trends in implemented improvement programs. Finally, data in INFORM can be made anonymous and used to build a database that will enable organizations to compare themselves against their peers. Such comparative benchmarking will demonstrate the overall cost-effectiveness of the organization s information assurance program. Relative Importance to the Information Security Program Current versus Target Effectiveness by ISO Control Area Policy Human resources 8.9% Organization 4.7% Assets 8.7% Physical 11.0% Policy 5.4% Operations 13.1% Compliance 8.4% Continuity 9.1% Access 12.4% Incident 11.4% Development 6.8% Assets Human resources Organization Physical 100% 80% 60% 40% 20% 0% Compliance Continuity Incident Development Operations Access Current Effectiveness Target Effectiveness Figure 7. Extract from executive summary report 21

21 Conclusion The INFORM program enables organizations to explore ways of improving the cost-effectiveness of their information assurance in a structured, repeatable way. In doing so, it also allows them to: Benchmark information assurance management between business groups and locations. Analyze trends over time to monitor improvement. Compare their management of information assurance risk with others, to ensure that they are maintaining a competitive position. 22

22 For more information on INFORM, please contact your Symantec sales representative or send an to About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at Symantec Corporation World Headquarters Stevens Creed Blvd. Cupertino, CA USA +1 (408) (800) Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. All other brand and product names are trademarks of their respective holder(s). Copyright 2006 Symantec Corporation. All rights reserved. Printed in the U.S.A. 7/