Advertisements

Home » Establishing Information Security objectives

Establishing Information Security objectives

Business managers expect information security to protect information in business systems and prevent the systems from being interrupted. Information security supports the business in achieving its objectives. To begin the development of a strategic plan for security it is essential to understand the business objectives and the key elements of the information security function. Business objectives can be analysed to identify dependencies on security. The security objectives can then be defined in terms of the business objectives. The security objectives are then impacted on by business and environmental constraints, and by threats and vulnerabilities. Metrics are developed to allow comparison between current security capability and the capability required to meet business requirements. Strategies can be developed to fill the gap between current and planned capability while allowing for environmental constraints and threats. A strategy is the direction or the approach taken to meet one or more objectives. Strategies do not have priorities: they are mutually exclusive. Each strategy is supported by one or more initiatives. An initiative is the implementation of an operational plan that achieves part or all of the security objectives. The overall objective is to implement a range of initiatives that collectively achieve all of the security objectives. Your security policy defines what you want to protect and the security objectives are what to expect of users.  Each network service that you use or provide poses risks to your system and the network to which it is connected. A security policy is a set of rules that apply to activities for the computer and communications resources that belong to an organization. These rules include areas such as physical security, personnel security, administrative security, and network security. Your security policy defines what you want to protect and what you expect of your system users. It provides a basis for security planning when you design new applications or expand your current network. It describes user responsibilities, such as protecting confidential information and creating nontrivial passwords. Your security policy should also describe how you will monitor the effectiveness of your security measures. Such monitoring helps you to determine whether someone might attempt to circumvent your safeguards.To develop your security policy, you must clearly define your security objectives. After you create a security policy, you must take steps to put into effect the rules it contains. These steps include training employees and adding necessary software and hardware to enforce the rules. Also, when you make changes in your computing environment, you should update your security policy. This is to ensure that you discuss any new risks that your changes might impose.
When you create and carry out a security policy, you must have clear objectives. Security objectives fall into one or more of the following categories:

  1. Resource protection
    Your resource protection scheme ensures that only authorized users can access objects on the system. The ability to secure all types of system resources is a System  strength. You should carefully define the different categories of users that can access your system. Also, you should define what access authorization you want to give these groups of users as part of creating your security policy.
  2. Authentication
    The assurance or verification that the resource (human or machine) at the other end of the session really is what it claims to be. Solid authentication defends a system against the security risk of impersonation, in which a sender or receiver uses a false identity to access a system. Traditionally, systems have used passwords and user names for authentication; digital certificates can provide a more secure method of authentication while offering other security benefits as well. When you link your system to a public network like the Internet, user authentication takes on new dimensions. An important difference between the Internet and your intranet is your ability to trust the identity of a user who signs on. Consequently, you should consider seriously the idea of using stronger authentication methods than traditional user name and password logon procedures provide. Authenticated users might have different types of permissions based on their authorization levels.
  3. Authorization
    The assurance that the person or computer at the other end of the session has permission to carry out the request. Authorization is the process of determining who or what can access system resources or perform certain activities on a system. Typically, authorization is performed in context of authentication.
  4. Integrity
    The assurance that arriving information is the same as what was sent out. Understanding integrity requires you to understand the concepts of data integrity and system integrity.

    1. Data integrity: Data is protected from unauthorized changes or tampering. Data integrity defends against the security risk of manipulation, in which someone intercepts and changes information to which he or she is not authorized. In addition to protecting data that is stored within your network, you might need additional security to ensure data integrity when data enters your system from untrusted sources. When data that enters your system comes from a public network, you need security methods so that you can perform the following tasks:
      • Protect the data from being sniffed and interpreted, typically by encrypting it.
      • Ensure that the transmission has not been altered (data integrity).
      • Prove that the transmission occurred (nonrepudiation). In the future, you might need the electronic equivalent of registered or certified mail.
    2. System integrity
      Your system provides consistent and expected results with expected performance. For the i5/OS operating system, system integrity is the most commonly overlooked component of security because it is a fundamental part of i5/OS architecture. i5/OS architecture, for example, makes it extremely difficult for a hacker to imitate or change an operating system program when you use security level 40 or 50.
  5. Nonrepudiation
    The proof that a transaction occurred, or that you sent or received a message. The use of digital certificates and public key cryptography to sign transactions, messages, and documents supports nonrepudiation. Both the sender and the receiver agree that the exchange takes place. The digital signature on the data provides the necessary proof.
  6. Confidentiality
    The assurance that sensitive information remains private and is not visible to an eavesdropper. Confidentiality is critical to total data security. Encrypting data by using digital certificates and Secure Socket Layer (SSL) or virtual private network (VPN) connection helps ensure confidentiality when transmitting data across untrusted networks. Your security policy should conclude how you will provide confidentiality for information within your network as well as when information leaves your network.
  7. Auditing security activities
    Monitoring security-relevant events to provide a log of both successful and unsuccessful (denied) access. Successful access records tell you who is doing what on your systems. Unsuccessful (denied) access records tell you either that someone is attempting to break your security or that someone is having difficulty accessing your system.

6.2 Information security objectives and planning to achieve them

The organization must establish information security objectives at relevant functions and levels. The information security objectives must be consistent with the information security policy. If practicable it must be measureable. It must take into  account applicable information security requirements, and results from risk assessment and risk treatment. It must be communicated and updated as appropriated.  The organization must retain documented information on the information security objectives.
When planning how to achieve the quality objectives, the organization  must  determine what will be done; what resources will be required; who will be responsible; when it will be completed; how the results will be evaluated.

Set Objectives

Sect. 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working well?’ To do this you need to arrive at a set of objectives keeping in mind  clause. 4.1, 4.2, 4.3 and 6.1 and determine how you will evaluate and measure performance against each of those objectives. Consider the objectives you want to achieve as an organisation in relation to information security. Some examples could be

  • “Delivery of a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”
  • “Provide a pragmatic digital paperless ISMS for staff (and other interested parties who need to access it), integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done.”
  • How can you write measurable objectives?
    Plans by their nature are largely concerned with change or an effort to maintain valued aspects of the current situation. The extensive process of information collection and analysis, consultation, validation and priority setting is used to identify where you think effort needs to be focussed. When it comes to writing these into objectives, there should be a clear logic between objectives and the goal they are pursuing. Objective statements will follow a general form: ‘To do what, for whom, by when?’. Careful selection of the language used to express objectives can provide clearer intention of what will be done and what you hope to achieve. Strong, clear verbs describe the ‘do’ component and are the key to setting the tone and commitment of the objective. The list of verbs below provides some examples of words that are action oriented applied to common interventions.
    Caution is recommended against the over-use of words such as ‘develop’, ‘facilitate’ or ‘support’. These are less descriptive and can dull the tone of a plan if over-used. However, they should not be replaced with inferior, vaguer words or at the other extreme, technical terms or jargon. Avoid words like ‘enhance’, ‘commit’, which are not specific and hence more difficult to measure. Also, avoid multiple verb use for objectives: For example:
    Not: ‘To explore opportunities to increase access to…’
    Try: ‘To increase access to …’
    In this case, ‘exploring opportunities’ is probably a step towards ‘increasing access’. However, you don’t need to include the steps you will take to achieve your objective in the objective statement. If it warrants it, this will be described at the strategy level (which, as stated above, are the actions taken to reach these objectives). Words like ‘explore’, ‘discuss’, ‘commence’ , seek, and ‘encourage’ are often used in this way and should be avoided. If these words cannot be eliminated in favour of a more direct word, the likelihood is that you are describing a strategy not an objective, or you are not clear enough in your own mind about what you propose to do.
  • How can you keep your objectives consistent?
    One of the challenges of plan writing is creating a consistent relationship between plan statements so that they are pitched at a consistent level. It is confusing if an objective in one part of a document is a broad statement while in another it is quite specific (more like a strategy). One way of checking whether your objectives are pitched at the right level is to ask ‘why?’ The answer will test the theory behind your objective and should lead you to a health and wellbeing goal – whether stated or implied. If the goal is more than one step away from the statement the likelihood is that is pitched at a strategy level. The verbs used might not provide any clues to the appropriate level. Words like ‘increase’ and ‘decrease’ are also likely to be used at goal level and a strategy level. However, at a goal level ‘increase’ is likely to be applied to quality of life and ‘decrease’ to the incidence of illness or disease. At a strategy level both are likely to be applied to features of service systems or standards. Other words might fit an objective or strategy level, however, some will suggest that the statement is better included as a strategy level. Words more common at a strategy level include:
  • How can I check my objectives?
    A good way to test your objectives is to use the SMART technique. SMART statements have the following characteristics.
    S specific: it indicates clear action on a determinant, population group and setting.
    M measurable: it includes features that will help you tell whether it has succeeded.
    A attainable: it can be realistically achieved on time and within available resources.
    R relevant: it is a logical way to achieve your goals.
    T time-framed: it indicates a timeframe for action.

Determine metrics system

Once you have those objectives, consider the key things that should and shouldn’t be happening if you were to meet each one of them and how you would go about measuring those things. For example, a key measure of success  could be  the availability of  systems for customers to use. So you can have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems. When your are thinking about what to measure have in mind the three key principles that run through ISO27001 of Confidentiality, Availability and Integrity. So, for example, some of the things we looked at to measure ourselves against were;

  • System uptime with a target of 99.5% (availability)
  • Any failures in our backups with a target of none (integrity)
  • Number of corrective actions with a target of none (all)

The philosophy of ISO 27001 is PDCA management cycle (Plan-Do-Check-Act). The concept of measurement is also best explained through this PDCA cycle:

  • In the Plan phase you need to set the objectives
  • In the Do phase you must figure out how to measure up to which point your objectives are achieved
  • In the Check phase you need to start actual measurement, and finally
  • In the Act phase, once you realized you haven’t achieved your objectives (which is very often the case), you need to make certain improvements

So how can you measure  backup, or firewall? The secret lies in setting objectives which are easy to measure – you might have heard of the S.M.A.R.T. concept: objectives need to be Specific, Measurable, Achievable, Relevant, and Time-based.

  • So, what would it look like for the firewall? Something like ‘We want our firewall to stop 100% of unwanted network traffic’. Is it measurable? Yes – you will find out, sooner or later, whether some unwanted traffic has passed through the firewall.
  • Another example – backup. The objective could be ‘We want to achieve our loss of data is maximum 6 hours.’ Measurable? Yes – and you don’t have to wait for data loss to happen, you can test your backup and see how much of the data you can restore.
  • An example of the objective for the whole ISMS could be ‘We want to decrease the number of information security incidents by 50% in the next year’. Again, pretty specific and therefore measurable.

Setting the objectives and measuring them is a rather new and unexplored aspect of information security. It is very often considered as an overhead because of the lack of knowledge in the first place, not so much because of practical reasons.

Here are the example of the Information Security objectives

S. No. Parameter Objective Periodicity Responsible Team
1 Average Minor  Non-conformities per AUDIT Cycle (per department) <=5 Every 6 months (Post Audit) ISMS
2 Impact on assets/human resources  due to  Fire Accidents =100% compliance Every 6 months ISMS
3 Internet Downtime (on Working days in working hours) >=99% availability Every 6 months IT Team
6 Infected file status (new + still infected) count because of virus and spyware <=3 Every 6 months IT Team
5 Overall High priority Incidence Occurrence Rate
Admin +Facilities
IT
HR(should include incidents related to POSH)
Customer Delivery/Project
<=5
<=5
<=5
<=5
Every 6 months (Pre-audit) ISMS
6 Customer Satisfaction on Internal infrastructure >=90% Every 6 months (Pre- Audit) Support/ Delivery/ IT
7  License Issues =100% compliance Every 6 months IT
8 IP/Legal issues =100%  compliance Every 6 months Management/ Directors
9 Repetition of Audit Findings in next Internal Audit <=2 Every 6 months (Post Audit) ISMS
10 Count of residual risks <=10 Every 6 months (Pre-audit) ISMS
11 Full back up failures <=2 times Every 6 months IT Team
12 Downtime due to power failure (during working hours) <=6 hours Every 6 months Admin team
13 Number of employees relieved/ terminated without execution of HR Exit check list =100% compliance Every 6 months HR team
14 Security testing for all projects =100% compliance Every 6 months Delivery team

Information security key performance indicators

A key performance indicator (KPI) is a metric used to evaluate factors that are crucial to the success of an organization. It differs from an objective in that an objective is something you want to achieve, while a KPI is something used to verify if your efforts are leading you toward the defined objective. For example, if 60 mph is the speed objective, the speedometer helps you to achieve and maintain this speed. In a scenario where decision makers are surrounded by information, and have limited resources to work on objectives, to define those most relevant (the KPIs) and how and when they should be presented is a good way to help monitor results and make proper decisions. Besides the verification if one is on course to achieve the proposed objectives, KPIs may be used to support ISO 27001 by helping to communicate the importance of information security management and objectives.Though there are many criteria you can use for KPI selection, some aspects are common to them and they can make your task easier:

  • Business relevant: the indicator should be aligned to clear business objectives or legal requirements, which makes it easier for people to understand why it should be measured and evaluated. ISO 27001 has some requirements that may be attended by the use of indicators related to effectiveness  and compliance , but an organization should consider efficiency indicators, too; for example, the Return On Security Investment (ROSI) can show how well  the resources are Used to support security planning.
  • Process integrated: activities to collect the necessary data for a KPI should add the least amount of work possible, compared to the usual activities required to deliver the product/service, and the information (e.g., marking a step as completed or recording the time to perform an activity) needed should be in the same forms already used by the process.
  • Assertive: the indicator should be capable of pinpointing relevant issues (e.g., process steps, organizational areas, resources, etc.) that need attention. For example, a KPI related to the number of failed login attempts explicitly limits the scope to the login process.

Examples of performance indicators

The following examples cover a complete PDCA (Plan-Do-Check-Act) sequence, showing how different indicators can be used to get a full view of the performance of the processes related to information security management.

  1. Plan
    Percent of business initiatives supported by the ISMS: indicator that shows the ISMS’s level of alignment and integration with the business. The higher the value, the more optimized the ISMS resources, since management resources are being used over more aspects of the organization. You can use the ISMS Scope Document, compared to all services/processes of the organization, to obtain this information.

    1. Percent of information security initiatives containing cost/benefit estimates:  indicator that shows the organization’s maturity on risk treatment. The higher the value, the more the risk treatment decisions are based on facts. You can use the Risk Assessment and Treatment Report and the Risk Treatment Plan, compared to all security initiatives implemented, to obtain this information.
    2. Percent of agreements with information security clauses: indicator that shows how services and products, provided by you or supplied to you, are legally supported considering information security aspects (e.g., availability, confidentiality, integrity, and continuity). The higher the value, the better supported your relationships with clients and suppliers are. You can use Non-Disclosure Agreements and SLAs with information security clauses, compared to all agreements related to services and products, to obtain this information.
  2. Do
    Number of security-related service downtimes: downtimes related to information security issues directly reflect the effectiveness of the ISMS. This information can be obtained from operational reports. Duration of service interruptions: as important as the number of downtimes, the average duration of down times is an important measurement of ISMS effectiveness. This information can be obtained from operational reports. Incident resolution time: another important measurement of ISMS effectiveness, this information can be obtained from operational reports.
  3. Check
    Percent of controls assessment performed: indicator that gives you a view of how many security measures are being reviewed. The higher the value, the more controls are being analyzed in terms of effectiveness, efficiency, and opportunities for improvement . You can use the Risk Treatment Plan, compared to Training Plans, Incident Logs, Audit Reports, and Management Review Minutes, to obtain this information.
  4. Act
    Number of improvement initiatives: indicator that shows the proactivity of an organization’s ISMS with respect to changes in the environment and the opportunities identified. Changes with the objective to improve results or prevent losses, instead of correct errors or problems, are good examples that reflect a high value on his KPI. You can use the Audit Reports and Management Review Minutes to obtain this information.

Proper monitoring to improve results and avoid problems

Organizations are under constant pressure to achieve results, and to do so, it is essential that they can count on proper navigational instruments that can show them if they are on the right course and allow timely adjustments. But, it is also essential that these instruments are well chosen and calibrated, or else you may find yourself attacking the wrong problems and turning a bad situation into something worse.

Steps to establish Information Security Objective

1. Establishing a Strategy Plan

The purpose of a strategic plan for security is to provide management with the necessary information to make informed decisions about investment in security. The strategic plan links the security function with the business direction. The strategy must present a business case that describes key business benefits and outcomes related to security, with recommended strategies for achieving those outcomes. Strategies for security help achieve business objectives by identifying and addressing security requirements in business functions and initiatives, and providing infrastructure, people and processes that meet those requirements. Although driven by business requirements, strategies must take into account other factors that may impact on the achievement of those outcomes. The strategies must be revised periodically to allow for changes in the business direction and in the constraining factors.

2. Security functions

As the strategy describes business outcomes related to security, the scope for security strategy is defined by an organization’s definition, or scope, of its security function. The security function should be defined by objectives. The key functional areas defined are security policy, security organization, personnel security, asset classification and control, physical and environmental security, computer and operations management, system access control, system development and maintenance, business continuity planning, and compliance.
E.g. The objective of security at <organization> is to protect information and information systems and prevent unauthorised access, unauthorised modification or damage, or interruption to business functions.
Under company law, directors are obliged to take reasonable actions to protect company assets. Reasonable action can be demonstrated by aligning an organization’s security functions with industry standards. Security functions can be strategic, tactical or operational. Security functions are implemented in terms of technology, processes and people. Security functions should be documented with accountability against organizational roles. Accountability for security functions may be concentrated in a single security group, or allocated to other areas that have common objectives. For example, the accountability for business continuity may be allocated to an operational support group. A security strategic plan should include objectives for all security functions regardless of where they are placed within the organization

3. Business objectives

Business objectives are the highest level, or fundamental, objectives of the organization. At the conceptual level these objectives relate to the prosperity of the organization and all of its stakeholders. When enumerated by the business the objectives become more descriptive and may include the following:

  • to reduce costs by efficiency gains
  • to reduce potential costs through risk reduction
  • to protect assets
  • to create opportunities for revenue growth by  enhancing or creating customer services and products by creating competitive advantage and to extend the customer bench.
  • to create opportunities for revenue growth by enhancing or maintaining reputation in the marketplace, reducing time to market and by marketing/advertising and channel management

Business objectives are implemented through a range of business strategies. Strategies will vary greatly between organizations. Example business strategies may include the following:

  • Building infrastructure to provide extended customer functions
  • Joint venture or mergers to improve market position
  • Outsourcing to achieve flexibility and cost reduction
  • Business strategies will be achieved through implementation of a range of business initiatives.

4. Security objectives

  1. Determining Security objectives

    Security objectives are the sub-set of the business objectives that can be achieved by application of the security functions. To determine the security objectives, evaluate the potential for each business objective or initiative to be impacted by each security function. For example, consider the business objective of increasing revenue through reduced time to market.
    How does security policy impact on time to market?
    Policy provides a statement of acceptable risk. If security policy does not define protection requirements for sensitive information, then development may be delayed while the risk is assessed and security controls defined. At the same time, stringent policy requirements may also delay the development of system enhancements, and may even preclude some business initiatives as excessively risky. The security objective would be to optimise between policy that defines the minimum controls – giving best time to market, minimum cost and maximum business enablement – while keeping residual risk below an acceptable threshold.
    How does security organization impact on time to market?
    Security organization ensures that accountability for security functions has been allocated to organizational roles. If security functions have not been effectively allocated, delays could be incurred at any point of the development lifecycle that depends on a security function. For example, if inadequate resources have been allocated for security assessment, there may be delays in getting approval to promote a system into production. The security objective would be to ensure that security functions are supported adequately to prevent delays in getting products and services into production. Continuing the evaluation to assess the impact of each security function on each business objective will produce security objectives directly aligned with business objectives. This method may be more relevant when revenue and growth is a priority.

    A alternative method may be. We can start with each of the security functions and create a scenario showing the potential impacts to the organization should the security fail. The security objectives for each scenario are then to implement security that prevents those impacts. For example, consider the security function to manage access. In a scenario where access management fails, a hacker might gain access to an internal server and expose information from business partners. Information may be commercial in confidence and also contain information subject to information privacy legislation. Resulting impacts could include:

    • Parties whose information is exposed seeking penalties for breach of non-disclosure agreement, and also seeking to recover subsequent losses;
    • Customers using alternative service providers. The organization’s reputation and revenue is adversely impacted;
    • Exposure resulting in breach of privacy legislation, litigation costs, penalties and impact on reputation.

    The security objectives from this scenario could include:

    • to prevent hackers gaining unauthorised access to internal servers;
    • to ensure adequate controls are in place to reduce the risk of claims under privacy legislation should exposure result in such claims.

    Scenarios should be developed to cover each security function. Multiple impacts may be associated with each function. Further validation can be attained by including scenarios for actual losses previously incurred by the organization, or by including potential losses from risks identified in recent audits or recorded in risk registers. In addition to event-based scenarios (e.g. failure of security controls) also consider pre-event scenarios. Using the security assurance function as an example, if customers perceive that security in a web service is inadequate they may not take it up, resulting in lost revenue. This method may be more relevant when reducing cost is a priority.

  2. List of strategic security objectives

    Having determined the security objectives using either (or preferably both) of the methods above, the rationalised list of security objectives now describes the purpose of the security function. Security objectives must be achievable by the security functions. Security objectives will vary across organizations. A list of possible security objectives, including how they are achieved by security functions follows:

    • Objective – to reduce security events
      Security functions can alter the likelihood and impact of security events. For example, access management can prevent unauthorised access. Reduction in security events will reduce system interruptions, reduce costs arising from
      business interruptions and from recovery, protects reputation and existing revenue streams, reduce information exposure and damage, and reduce legal penalties.
    • Objective – to provide security infrastructure that reduces development costs
      • Security functions can implement security infrastructure (e.g.
        authentication services, access management and provisioning, identity management, key management) that can be re-used by multiple systems. Re-use reduces development costs and also reduces complexity.
      • Infrastructure may provide revenue-generating opportunities through product differentiation.
    • Objective – to reduce operational costs
      • Security functions can reduce operation costs by increasing the efficiency of providing services, such as access control mechanisms.
      • Security functions can reduce insurance costs by reducing the risk profile of the organization.
    • Objective – to reduce development costs
      Security functions can reduce development costs by imposing minimal security controls, by providing infrastructure to reduce the cost of developing controls, by providing policy that reduces the need for risk assessments,

5. Measuring security outcomes

  1. Metrics
    Once security objectives have been identified, an organization must chose methods that demonstrate when those objectives have been met or not met. Metrics must be established that show if security is effectively achieving the security objectives. Strategies for implementing security cannot be achieved unless their impact on security objectives can be assessed either qualitatively or quantitatively. Typical management process includes planning for an outcome, implementing a process to achieve the outcome, measuring the results, and using the results as a measure of effectiveness to improve on the original plan. The process for the management of security is atypical in this regard. Security assurance cannot be measured in terms of the “results” where there are none. Major security events may never occur, or occur very infrequently. There are also limitations on assessing security in terms of the likelihood of impacts occurring. Consider a scenario in which there is a one in a million chance in any given year that there will be a security breach resulting in a Rs 50 crore loss. The probabilistic loss rate is Rs 5000 per year. Therefore any mitigation plan to reduce the risk must cost less than Rs 5000 per year to provide a positive return. For straight-line risk tolerance, definition of acceptable risk levels is limited by the difficulty in determining the true probability of the event and the true loss that may occur. In practice, risk tolerance is non-linear. Organizations tend to exhibit increasing aversion to high level impacts despite very low likelihood of occurrence. Furthermore, security events are not as simple as the product of likelihood and impact as often used. Due to the nature of security incidents they are typically based on a number of successive events. A simple vulnerability may result in a low impact event. There is a lower probability that this will be exploited into a higher impact event. Successively unlikely events will result in successively higher impacts. Therefore, a security event has a risk probability function showing decreasing likelihood with increasing impact. Likelihood may be indicated by history of previous events if available. Typically there is no history of high impact events. Security assurance needs to be measured in terms of the reduction in this risk probability function. Security assurance also needs to be measured in terms of each of the security objectives. For example, metrics for the first security objective derived above (to reduce security events) are described as follows:
    Objective – to reduce security events
    Metric – The reduction in risk of security events can be measured in the following terms:

    •  Security can be measured by a system’s resistance to a range of penetration and/or vulnerability tests.
    • Security can be measured against benchmark implementations. For example, the security of an Window server could be measured by assessing compliance with the CIS Benchmarks.
    • Security controls can be measured analytically. This might be done by measuring the number of Top 20 twenty vulnerabilities occurring across critical services within the organization.

    Metrics should be customised to reflect organizational objectives and values. This assessment should be continued to establish metrics for each security objective. This task is demanding but essential to providing the context for risk assessment. As the requirements for security controls change rapidly in response to changes in business initiatives, legislative requirements, customer expectations and new technology, measurement of security should also distinguish between the effectiveness of existing controls, and the capability of the organization to maintain the desired level of security assurance. Each security measure should be assessed in terms of current effectiveness, and the organizations ability to maintain that level of effectiveness. Taking the first metric above (resistance to penetration and vulnerability testing) as an example, the capability would be measure in terms of the processes, technology and resources in place to plan, implement and respond to penetration and vulnerability tests.

  2. Current security capability
    Once the security metrics have been established it is possible to assess the
    current (point-in-time) security capability of the organization. Each of the measures described above should be applied to the organization to produce a statement of capability. This can serve as the baseline against which
    enhancements and changes to security can be planned and measured. A sanitized version of this statement of capability could be used to represent capability to customers and business partners.
  3. Current outcomes
    Current outcomes are a measure of the actual security events rather than assurance. Information is collected in regard to actual events impacting on each of the security objectives. For example for the objectives of reducing security events  the current outcomes will be the number of recorded security breaches and the actual costs arising from that event. For the objective of minimising litigation, the outcome would be the number of litigations raised against the organization and the actual costs arising from such litigation. Some objectives will always be difficult to measure, such as reputation. Customer surveys may indicate levels of satisfaction in existing customers. The current outcomes are used in conjunction with the current capability to define the baseline for security planning.

6 Security vision

The vision is the picture of the future environment, showing how people, process and technology, with work together to overcome constraints and threats, and meet all security objectives. For example, the vision for fulfilling the security objective of reducing risk to litigation (e.g. obligation for due care under company law) will be achieved by establishing comprehensive policy, procedures and training that either reduce events of information disclosure, or transfer the responsibility to the individual. For example, the vision for fulfilling the security objective of reducing security events (e.g. in response to increased attacks from the internet and exploitation of vulnerabilities in new technology) will be achieved by a combination of system hardening, segregation of sensitive systems, and enhanced perimeter security that will reduce vulnerabilities to an absolute minimum.Continue the process and create a vision of the future environment that meets all security objectives.

7 Constraints

In addition to the business objectives and initiatives driving security there are also a range of constraints that inhibit or prevent the achievement of security objectives. These factors may be internal to the organization and controllable, or external and beyond the control of the organization.

  1. External constraints
    • Emerging technology (e.g. wireless networking) creates business opportunities but also brings new vulnerabilities and risks.
    • Legislation (e.g. information privacy) may increase the potential costs arising from exposure of sensitive information and may create new obligations for providing controlled access to information.
    •  Customer requirements (e.g. increased connectivity) may increase vulnerability and complexity in internal systems.
  2. Internal constraints
    • Cost – organizations tend to vary their level of risk acceptance in response to growth or retraction in the market.
    •  Architecture – (e.g. authentication systems) may restrict use of strong authentication or inhibit adequate monitoring.
    • Culture – organizations with a strong culture of trust may fail to recognise weak security systems. Attitude and awareness play a key role in building effective security.
    • Complexity – organizations that are highly responsive to customer requirements may create solutions with increasing complexity and
      interdependence.

8. Threats and vulnerability

Threats and vulnerability also impact on the organization’s ability to achieve its objectives. Vulnerability is weakness in a system that can be exploited. A threat is something that may act to exploit vulnerability. Threats to an organization should be identified and allowed for in setting security objectives. Typical threats include external hackers (script kiddies, criminal, competitors), disgruntled staff and contractors, viruses and other malicious code, and inadvertent action by authorised operators.  Typical vulnerabilities include published system vulnerabilities, poor configuration, inconsistent application of processes and untrained staff. Security strategies must allow for vulnerabilities and threats.

9 Strategies

Strategies are the plans for moving from the current environment towards the vision. Strategies do not have priorities: they are mutually exclusive. A strategy is a direction, plan or approach to achieving the security objectives while allowing for the influence of the constraining factors. Use the business objectives, security objectives, and measures of the current capability to identify security objectives that are not fully met. Create strategies to meet those objectives while allowing for constraints and threats. For example the business objective is to generate more revenue. The business strategy is to create additional connectivity with customers to provided value-added services. One security objective is to allow the connectivity while mitigating the risk of hacker and virus infiltration to an acceptable level.Another security objective is to ensure that customer expectations for integrity and availability can be met. The vision includes comprehensive perimeter monitoring and access controls. The current capability meets existing needs, but will require enhancement to protect new communication channels used to provide the planned increase to connectivity. External constraining factors could include the technology (e.g. inherent weakness in wireless networking), and the obligation to protect customer information that is subject to information privacy legislation. Internal constraining factors could include complexity of internal systems. Adding new connectivity may require addition resources to cover essential security monitoring. The security strategies might be:

  • to increase monitoring of external connections. This will mitigate some risk associated with increasing the connectivity.
  • to increase the security “hardening” of all customer facing systems.
  • to provide redundancy for critical production system components to improve availability of services.

Continue the process to identify strategies for all security objectives. Each strategy must support at least one objective. In total, all of the strategies must meet all of the objectives.Examine each security objective and ensure that it will be fully achieved if the strategies are fully implemented. If not, further strategies are required.

10 Initiatives

  1. Setting Initiatives
    Initiatives are the operational plans for the implementation of processes,
    technology and people that achieve the security objectives. Each initiative must
    support at least one strategy. Initiatives, if fully implemented, should completely achieve the strategy and its objectives. If the initiatives do not meet all of the objectives, further initiatives should be prepared. For example, with a strategy of hardening all customer-facing systems, the initiatives might be:

    • to configure all customer-facing servers in accordance with CIS security benchmarks ;
    • to replace network bridges with switches;relocated inside the organizations trusted network;

    Each initiative must include assessment of the expected benefits (reduction in residual risk), costs (allocation of funding and resources to achieve changes in technology, process and people), priorities and interdependencies. In the example above, consider if customer-facing systems will be adequately hardened when these initiatives are fully implemented. If there are further measures that can be taken to harden these systems, multiple initiatives should be identified. Multiple initiatives provide further opportunity for senior management to determine the appropriate level of investment and acceptable risk by choosing between initiatives. Owing to the inter-dependencies between strategies and initiatives, changes to timing or acceptance of one initiative may impact on others. For example delays to virtual private networking may impact on delivery of a single-sign-on solution using the same infrastructure (directory service and certificate authority). Initiatives can be validated against best-practice. Cost effective outcomes may be achieved by following the approach other organizations have used in similar situations and leveraging off their experience to avoid costly errors. Continue this process to include initiatives for all security objectives. The strategic security plan should include a summary showing that the initiatives in total meet the strategic objectives, and also produce the future vision as described earlier.

  2. Accountability and governance
    The security function cannot be made responsible for achievement of business objectives outside of its area of control. For example, a security objective may be to provide certification to international standards so that the business can differentiate services on that basis. The security staff cannot be held accountable for revenue generation: that is the sales team’s responsibility. The security team can be accountable for achievement of the certification. When completed, the strategic security plan will have input from business areas to ensure alignment with business direction, and input from information technology, legal services, personnel and other support areas to ensure that the plan is realistic and feasible. Governance of the security process should be included in the organizations governance process along with risk management. Security reporting should be consistent with risk reporting. The organization’s senior officers will be seeking to demonstrate reasonable care. Question that could be expected might include the following,

    • Is Management confident that security is being adequately addressed in the company?
    • What are other people doing and how is the enterprise placed in
      relation to them?
    • Does management have a view on how much the enterprise should
      invest in IT security improvements?

    At this point the strategic security plan should be able to answer all of these questions except for the question of the appropriate level of investment. This must be answered by senior management. The plan provides the rationale behind each of the strategies and initiatives and allows management to invest in security based on the financial position of the organization and the level of risk considered acceptable by senior management. Senior management will be looking for comparison of the security in their organization against organizations of similar ilk to validate the strategic plan. An approach to determining the cost of security and comparative industry costs follows.

  3. Cost of security
    The cost models for security are still evolving. Models supported by security
    consulting firms tend to emphasise operational costs backed up by the potential cost of disastrous events in order to generate sales of security services. Such models may understate the significance of other security objectives such as asset protection or legal risk mitigation. Security costs can be described as being made up of planned costs and potential (risk) costs.
  4. Planned costs
    Planned costs are incurred regardless of the occurrence of actual security events and can be direct or indirect costs. Direct costs are associated with planning, implementing, and operating security functions. This includes salaries, depreciation on security assets, and maintenance and service changes related to the supply of security functions. Indirect costs include the cost of insurance (premiums may vary with the level of security assurance). A strategy showing an increase in planned security spending should demonstrate a reduction in the overall risk profile to the organization, or containment of escalating risk. A reduction in security spending should be reflected in the acceptance of a higher risk profile
  5. Potential Costs
    Potential costs are only incurred if security events occur. Potential costs are tied into the strategy as optional implementation plans. Different implementations have differing probabilities and impacts. Senior management can adjust the risk/investment balance by choosing between initiatives. Potential costs need to take into account all of the security objectives and include security events (response and recovery, loss of business, reputation etc), interruption to operations, loss of operational data, exposure of confidential data, contract claims for non-performance, cost of litigation and legal penalties for breach of obligations regarding privacy, copyright, trades practice, company governance, etc.

Example of Objective and plan

Hacking and Unauthorised Interception

Developing an IS Objectives plan
The purpose of an‟ IS Objectives plan‟ is to set out how an intended action will be achieved, who will undertake it and how it will be measured.
Objectives to be achieved

  • Issues to be addressed
    Our current firewalls are old and are insufficient to prevent new threats. “Hacking and Unauthorised Interception‟ – This is the deliberate interception or collection of data or voice traffic on our network. Competitors or thieves seek to gather personal information that enables them to commit fraud. Although we have not detected this happening as yet, it is a real and present concern. The main ways this is done are:

    • External parties gaining access to our IT systems
    • Staff finding ways to access restricted information internally
  • Proposed Actions
    Replace our existing external firewalls with Enterprise grade products that offer state-full inspection capabilities. The design must contain the most advanced firewall capabilities, including:

    • proxies (including SOCKS)
    • stateful inspection or dynamic packet filtering
    • network address translation
    • virtual private networks
    • Internet Protocol version 6 or other non-Internet Protocol version 4 protocols
    • network and host intrusion detection technologies
  • External Firewall deployment steps
    Prepare:  Ensure network diagrams are up to date
    Configure:

    1. Select and acquire firewall hardware and software as above
    2. Acquire firewall documentation, training, and support
    3. Install firewall hardware and software
    4. Configure IP routing
    5. Configure firewall packet filtering
    6. Configure firewall logging and alert mechanism

    Test:

    1. Test the firewall system
    2. Install the firewall system
    3. Phase the firewall system into operation
  • Internal Intellectual Property control deployment steps
    Implement internal Intellectual Property Controls based on information signatures.
    Prepare:

    1. Information signatures identification – credit card details, personal information.
    2. Assign approved locations for information types
    3. Approve staff access structure
    4. Select and acquire agents and management application

    Configure:

    1. Implement tracking agents onto PC‟s and servers
    2. Acquire firewall documentation, training, and support
    3. Configure physical server
    4. Configure logging and alert mechanisms

    Test: Test the system
    Deploy: Enable the live the IP system

  • Accountability
    John Bishop IT Manager is responsible for the approval of this plan. Chris Flood, IT Analyst is responsible for plan implementation.
  • Resources and responsibilities
    1. Management will provide budget (to be set) for the purchase of new Firewalls, budget is still pending. Objective is on hold.
    2. IT will project manage the process but a specialist supplier will undertake this work.
  • Completion schedule:  Implementation Resource Estimates
    The following rough-order-magnitude timeframes represent the calendar time required by staff / supplier to implement each of the practices described in the “Proposed Actions section‟.

    1. Design the firewall system 3 months
    2. Acquire firewall hardware and software 2 months
    3. Acquire firewall documentation, training, and support 1 month
    4. Install firewall hardware and software 1 month
    5. Configure IP routing 1 week
    6. Configure firewall packet filtering 3 weeks
    7. Configure firewall logging and alert mechanisms 2 weeks
    8. Test the firewall system 2 weeks
    9.  Install the firewall system 1 week
    10.  Phase the firewall/IP system into operation 2-3 months
  • Evaluating results
    1. Internal and external penetration testing (undertaken by a third party) will be undertaken to ensure successful deployment.
pdf Example of template of Information security objective register and plan

Your Donation can make a difference

We have chosen to make our Resources freely and openly available on the web with the hope that it touches the life of thousands of readers who visits us daily. We hope our blog has helped in enhancing the knowledge of our readers and added value to organization and their implementers. We would request you to make donation large and small, so as to provide us the resources needed to distribute, collect, digitize as it is becoming extremely difficult for us to afford the full cost of updating and enriching our site content. Your contribution will ensure that we can keep our blog  up-to-date and add more of the rich resources — such as video — that make a difference for so many worldwide. Your donation will demonstrate your commitment to knowledge as a public good and is an important part of our overall sustainability plan. Your donation is also important in demonstrating to us how much you value the site and motivates us to devote more of our time towards developing this blog.

Back to Home Page

If you need assistance or have any doubt and need to ask any question contact me at: preteshbiswas@gmail.com or call Pretesh Biswas at +919923345531. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion is also welcome.

[contact-form-7 404 "Not Found"]

 

Advertisements

Leave a comment

Your email address will not be published. Required fields are marked *

Pretesh Biswas

Pretesh Biswas

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,225 other subscribers

%d bloggers like this: