BOOK Assurance Book

THE EXECUTIVE’S GUIDE TO A S S U R I N G C O M P L I A N C E Foreword In the technology-centric environment in which we work today, the ability to manage information risks is yet another critical requirement for business success. Creating an even more challenging environment, the government regulates almost every aspect of running a business. These two issues combine to create substantial responsibilities on the part of business executives and information technology professionals. From the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act in the United States to various international privacy and security laws, regulations have quite a grip on information technology—and that grip appears to be getting tighter. What used to be a concern only for corporate legal counsel and network administrators has grown to also be the focal point of executive and boardroom discussions. The government is mandating what would otherwise be general information technology best practices to force businesses to protect customer information and prevent corporate misdeeds. Businesses are often expected to have effective information security infrastructures in place—and the task of implementing such an infrastructure is not simple. These new government regulations have ushered in a new era for running a business. Information technology professionals and business executives are now faced with many questions about how to effectively manage information technology and stay out of legal trouble. General information security safeguards that are put in place and revisited once a year for the sake of compliance are not an effective way to manage these new regulatory challenges. Information security products in and of themselves are not the only solution either. What is required is a strong combination of policies, business processes, and technologies that are understood and supported not only by the executives and information technology staff but also by every employee. This recipe for success, combined with recent information security product innovations, has made the process of getting people and technology to work together to improve information security much easier. Business executives and information technology professionals that embrace a philosophy and culture of information security and lead by example can and will be successful during these challenging times of trying to balance compliance with information risks and business goals. Fortunately, positive side effects of solid information security leadership are enhanced information risk mitigation and ongoing government compliance. One of the best ways for organizations to manage these issues and implement proper solutions is to educate themselves. However, with so many scattered resources available, it is difficult to sort through them to discover what really needs to be done. In this guide, Rebecca Herold has done an excellent job of presenting the essential information required. Her coverage of what information technology professionals and business executives really need to know and her practical solutions are worth their weight in gold. Kevin Beaver, CISSP i Copyright Statement © 2004 Realtimepublishers.com. All rights reserved. This publication contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com. (the "Materials") and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com or NetIQ Corporation. In no event shall Realtimepublishers.com or NetIQ Corporation be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part. The Materials may contain trademarks, services marks and logos that are the property of third parties. Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. ii Contents Foreword The Executive's Guide to Assuring Compliance Basing Security upon Service Management Inadequate Security Programs Put Executives at Risk Making Security a Business Responsibility Compliance Completeness Establishing a Security Compliance Management Framework Establishing a Central Security Management Area Creating a Security Charter Designating a Distributed Security Implementation Group Identifying Major Compliance Issues Defining Information Assets Defining and Selecting Information Security Controls Documenting the Compliance and Risk Management Process Creating an Operationalized Compliance Framework Determining What These Regulations and Standards Mean to Organizations Determining Acceptable Risk and Choosing Appropriate Controls Creating a Sustainable Policy Management Process Developing a Knowledge-Driven Compliance Framework Summary i 1 1 2 2 2 3 3 4 4 4 5 5 5 6 6 6 7 8 9 iii The Executive’s Guide to Assuring Compliance In today’s integrated, regulated, litigated environment, it is necessary to provide assurance to customers, business partners, regulators, and sometimes even the courts that you have done your due diligence in securing your IT infrastructure. New and updated United States laws are increasingly making corporate management responsible for ensuring compliance, as companies face substantial fines and penalties for not doing so. Existing and emerging global security and privacy laws and regulations make keeping up with multinational compliance requirements imperative. Organizations must have a business-based security framework built upon leading practices that not only allow compliance with policy and regulations but also provide a way to proactively identify risks, document compliance gaps, and report the state of the current security environment. The security framework must provide a sustainable process that allows for ongoing management of risks and compliance and must be built upon leading practices, accepted standards, contractual requirements, and applicable laws. Executives must implement information security programs and demonstrate due diligence for how their organizations’ processes information. Executives and board members are ultimately accountable for ensuring compliance, and face penalties, including fines and jail time, for non-compliance. Basing Security upon Service Management Security should be part of the larger information management process and strategy and should be service management based. This epitome is accomplished through the creation and implementation of a shared security service implementation program and framework composed of • Security architecture—The governance for security through which organization-wide policies are created and maintained • Operational management—How and what the security and compliance areas do to offer security services throughout the organization to implement information security governance • Certification and verification—A structured framework through which governance is implemented and ensured throughout the organization’s business units 1 Inadequate Security Programs Put Executives at Risk Executives have increasing exposure to information security risks as technology advances and new laws and regulations are implemented. Executives are susceptible to risks such as • Not being aware of existing risks within the organization and not knowing which risks are most significant • Failure to create, support, and communicate an adequate and effective security culture and control framework to meet business needs • Failure to effectively delegate responsibilities for risk management throughout all levels of the organization • Failure to detect where security weaknesses exist within the organizational business units • Failure to successfully monitor risk management activities to ensure compliance with policy Making Security a Business Responsibility Information security must be viewed as a business responsibility and must be shared by all members of business management. It is most effective to incorporate security throughout the business units by creating a security management oversight council to ensure that there is clear security direction and apparent management support for security initiatives. Such a council should promote and enhance security within all business processes by applying appropriate commitment and adequate resources. Effective IT governance that includes information security will enable the enterprise to use information in the most efficient and effective way possible, which will ultimately increase business benefits, put the organization in a position to take advantage of emerging opportunities, and enable a company to gain a competitive advantage. Compliance Completeness Many organizations develop software tools for network monitoring or to perform security activities internally in an effort to save money and avoid purchasing vendor products. Dependence upon such in-house–created tools and related procedures may seem cost effective for determining the effectiveness of security controls, but usually such tools tend to address security risks in a patchwork fashion, do not provide a big-picture view, leave compliance gaps, and do not consider all risks. IT environments are continually changing, and new security risks and threats can occur at any time. Security tools must be able to address such challenges. 2 The amount of effort applied to implementing a safe and secure working environment should be based on how much of an impact security problems can have upon your business. However, implementing adequate and effective security does not necessarily mean investing large amounts of time or expense. For example, making the effort to raise awareness, identify security risks, and taking prudent precautions for IT practices and processes is achievable with significantly less effort when following a thoughtful compliance plan. Implementing the accompanying technical safeguards for the identified risks can be more complex and expensive. Thus, it is important for organizations to rely upon and implement proven products from reputable suppliers, and, when necessary, call experts for advice. It is important to remember that all these security efforts are not something that should be done once; they require constant and continuous attention. Establishing a Security Compliance Management Framework An overall compliance-management framework must include needs assessment, design, metrics, evaluation, and ongoing sustainable value. The implementation of a compliance-management framework must move from being a project to being a sustainable business process. Establishing a Central Security Management Area A central security management area will ensure compliance projects and processes are operationalized throughout all business units. Suitable security management leadership must be established to approve the information security policy, assign security roles, and coordinate the implementation of security throughout all areas of the organization. This security management area should also serve as a source of specialized information security knowledge and advice for the organization. The central security management area should develop contacts with external security specialists (such as consultants, professional organizations, industry peers, and so on) to keep up with leading practices, industry trends, assessment methods, and new and emerging regulatory requirements as well as provide suitable liaison points when dealing with security incidents. Information security should be approached as multi-disciplinary. 3 Creating a Security Charter A charter for the security function should be established by the central security management area and visibly endorsed and supported by senior management. The charter should outline the responsibility, authority, and accountability of the IT security function. The charter should be reviewed periodically to ensure that the independence, authority, and accountability of the IT security function are maintained. The charter should require the creation, implementation, and maintenance of a management framework to govern information security within the organization in a way that is best suited for business and supports business goals. Designating a Distributed Security Implementation Group Identify key personnel within each of the business units and operational areas to be responsible for performing specific security activities that are crucial to your security program success. Train the personnel to efficiently and effectively perform the activities. Explain how the activities support the business and help to meet business goals. This group should also act as a central advisory committee to provide recommendations to the security management area for the purchase, strategy development, and deployment of new security and controls equipment, software, and training based upon business needs and processes. The members of the group must be aware of the products currently available as well as the emerging technologies that may affect the viability of current products or purchases. Identifying Major Compliance Issues Compliance involves following the requirements of the laws, regulations, and contractual arrangements to which the business process is subject. Management must ensure that appropriate procedures and systems are in place to determine whether personnel understand the implemented policies and procedures and that the policies and procedures are being followed. 4 Defining Information Assets Organizations must know what information assets they own or manage. Assets must be identified in order to establish controls to secure them. After all, if you don’t know what you are protecting, how can you possibly protect it? Creating an inventory of information assets will help ensure that effective asset protection takes place. Establishing an inventory may also be required for other business purposes, such as health and safety, insurance, or financial asset management reasons. Defining and Selecting Information Security Controls Security controls are implemented to protect the confidentiality, integrity, and availability of information resources. Confidentiality controls help prevent unauthorized disclosure of information. Integrity controls help prevent unauthorized modification of information and systems. Availability controls help to ensure that uninterrupted access to information and IT resources is provided. After identifying information assets, risks, and security requirements, select and implement controls to reduce risks to an acceptable level. Some controls are not applicable to every information system or environment and might not be practicable for all organizations. Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Also take into consideration non-monetary factors such as loss of reputation and applicable laws. Documenting the Compliance and Risk Management Process A critical component of creating the security management framework and supporting processes is identifying business and security requirements. To accomplish this, assess risks to the organization and identify compliance requirements. The risk assessment will identify threats to assess and evaluate as well as enable an organization to estimate vulnerability to and likelihood of threat occurrence and potential impact to the organization. Identify the legal, statutory, regulatory, and contractual requirements that the organization has with trading partners, contractors, and service providers. Identify all principles, objectives, and requirements for information processing within the organization that exist to support operations. With this information, and the previously performed tasks, document the compliance and risk management process. 5 Creating an Operationalized Compliance Framework An organization must know partner and customer contracts and related security issues. To ensure internal compliance, the organization must communicate security charter and security program components continuously through a sustainable ongoing framework. And, very important but often overlooked, an organization must monitor and evaluate policy and control effectiveness. To enable these measures, an organization must: • Establish a full security policy life cycle • Manage policies using a consistent, sustainable, and automated life cycle • Ensure that policies evolve to counteract the continually adjusting landscape of regulations and threats to the enterprise • Establish communication paths within the business units to ensure that all issues are covered by the policies and that the requirements support business functions appropriately • Monitor and evaluate policy and control effectiveness There are a growing number of laws and regulations that include requirements for organizations to provide security controls and demonstrate compliance assurance. Regulations—such as the United States’ Health Insurance Portability and Accountability Act (HIPAA), the United States’ Gramm-Leach-Bliley Act, the United State’s SarbanesOxley Act, California regulation SB1386, the European Union’s Data Protection Directive, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), South Africa’s Prevention of Organized Crime Act of 1998, and South Africa’s Financial Intelligence Centre Act 2001—are examples of just a few of the laws that require organizations doing business under the regulation’s jurisdictions to implement very specific security and privacy controls. Most regulations advise using generally accepted standards to implement the controls. Determining What These Regulations and Standards Mean to Organizations Regulatory requirements and standards impact all areas of an organization. There must be an effective framework in place to ensure that all organizational areas understand and comply with the requirements as they are applicable to each business unit. The centralized security management area, in partnership with the organization’s legal team, must keep up to date with all laws and regulations that apply to the organization, and use them as input to the business case justification for security and controls compliance (as well as input to the business impact analysis and other planning processes). 6 A process should be in place to communicate new and updated regulations and standards effectively, efficiently, and expeditiously throughout operational management. This process will more easily and effectively be accomplished by using the information security oversight council and the distributed information security group. Regulations can not only have a profound impact on organizations through noncompliance fines, penalties, and resulting bad publicity and damaged reputation but also provide the leverage to help sell security throughout the organization. Because regulations often reference the use of best practices and standards, they can be used to promote standards based upon widely accepted practices such as International Standards Organization (ISO) 17799 and Control Objectives for Information and related Technology (COBIT) for IT governance and controls. In fact, the United States Federal Trade Commission (FTC) had reportedly stated that it considers the Gramm-Leach-Bliley Act Safeguards Rule a standard of due care that would apply to even non-financial companies. By implementing controls based upon regulatory requirements and international standards, organizations will realize positive business operational benefits. For more information about ISO 17799 and COBIT, see www.iso.ch and www.isaca.org/cobit.htm, respectively. Determining Acceptable Risk and Choosing Appropriate Controls Determine which information and IT assets are at risk and prioritize them for remediation. Address the vulnerabilities on the most critical assets with the highest impact vulnerabilities that are most at risk because of the likelihood the vulnerability may be exploited is high. You must prioritize the order of addressing risks by risk level. After prioritizing the risks, along with the systems or applications that need to be fixed, begin the remediation process. Assess risks to satisfy the business requirement of supporting management decisions by reaching IT goals. Respond to threats by reducing complexity, increasing objectivity, and identifying important decision factors. Creating a Sustainable Policy Management Process Security and control policies are living documents and must be managed as such. Many organizations make the mistake of issuing policies, then never, or not often enough, reviewing them to determine the new regulatory requirements, contractual requirements, business process changes, or others issues that necessitate policy modifications. Determining the effectiveness of policies, and when policies must be updated, requires the cooperation and involvement of all business unit leaders in addition to the information security oversight council and distributed information security group. 7 Using the security policy life cycle approach will help ensure that the policy management process is comprehensive and addresses all functions necessary to create an effective policy. Effective policy management will lead to a greater understanding of the policy development process through the definition of discrete roles and responsibilities, through enhanced visibility of the steps necessary in developing effective policies, and through the integration of disparate tasks into a cohesive process that aims to generate, implement, and maintain policies. Developing a Knowledge-Driven Compliance Framework The security controls and compliance framework must have built-in security, controls, and contractual and regulatory knowledge to be effective. This framework can be developed by mapping the standards, regulations, and contractual requirements to the framework model. Doing so will enable more successful and sustainable compliance and help the organization keep up with new and changing regulations, laws, technology, and contracts. The framework must also provide and sustain knowledge of the organization’s current security environment and activities being done to address risks. The organization must respond rapidly to protect the enterprise business environment and IT architecture and ensure compliance. There must be a capability to quickly and easily document and report the current risk environment, responsibilities for addressing risks, compliance timeframes, and associated controls. The organization must know partner and customer contracts and related security issues. To ensure internal compliance, organizations must communicate the security charter, personnel, requirements, and program components continuously through a sustainable ongoing framework. And, very important but often overlooked, an organization must monitor and evaluate policy and control effectiveness. Security controls must be certified as being compatible with existing security policy, procedures, and business objectives. The security management area must also be involved to review the process or system to ensure that it is adequately addressing security threats and risks. Following certification, and at regularly scheduled times following implementation, the process or system should undergo a review to verify the controls are still processing appropriately and that the documentation for the tests and controls during the certification process are sound. 8 Summary All levels throughout an organization must view security and accompanying controls as a shared service implementation program. One area cannot ensure effective and efficient security and controls throughout an organization. To ensure successful compliance, use the following guidelines as a general compliance assurance roadmap: • Communicate the security architecture throughout all operational areas of business management within the organization. • Operational management must ensure that all controls are implemented throughout every business unit. • New and updated operations and systems must be certified and verified to ensure that adequate and effective controls and security are implemented prior to moving into production. • Monitoring and review processes must be established to ensure that security and controls are still effective and adequate. • Compliance must be documented to show that the controls implemented adequately and appropriately address requirements and risks. • Security metrics must be used to evaluate level of success with security efforts and to identify gaps with contractual and regulatory requirements. • Exceptions, incidents, and remediation activities must be identified and remediation plans must be followed to keep the organization in compliance. There must be a full understanding of IT governance and security and control issues at all levels of the organization, and awareness and formal training is vital to ensuring this understanding. IT processes must be aligned with the business and with the IT strategy and there must be a clear understanding of business goals and processes supported by defined controls. With these factors in place, an organization can be assured of compliance. 9 The Executive’s Guide to Assuring Compliance offers just a glimpse of the issues that you, as an executive, face in terms of security and compliance for your organization. Register today to receive the entire series of Executive Guides to Compliance and Security Risks. These informative books will provide you with expert advice on how to assure compliance, secure your assets and manage risks associated with your IT infrastructure. The series includes: Book 1: The Executive’s Guide to Assuring Compliance Book 2: The Executive’s Guide to Securing Assets Book 3: The Executive’s Guide to Managing Risks Register today at www.netiq.com/go/execguide to download the full series of Executive Guides and discover how to implement effective security information programs that protect your organization. 10 Contacts Worldwide Headquarters NetIQ Corporation 3553 North First Street San Jose, CA 95134 713.548.1700 713.548.1771 fax 888.323.6768 sales info@netiq.com www.netiq.com NetIQ EMEA +44 (0) 1784 454500 info@netiq.com NetIQ Japan +81 3 5909 5400 info-japan@netiq.com www.netiq.com/japan NetIQ Australia & New Zealand 61 (0) 2 9925 2100 www.netiq.com/au For our offices in Latin America & Asia Pacific, please visit our web site at www.netiq.com/contacts © 2004 NetIQ Corporation, all rights reserved. All other company and product names may be trademarks or registered trademarks of their respective companies. PG50108EGAC MD 1204 THE EXECUTIVE’S S E C U R I N G GUIDE TO A S S E T S Foreword In the technology-centric environment in which we work today, the ability to manage information risks is yet another critical requirement for business success. Creating an even more challenging environment, the government regulates almost every aspect of running a business. These two issues combine to create substantial responsibilities on the part of business executives and information technology professionals. From the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act in the United States to various international privacy and security laws, regulations have quite a grip on information technology—and that grip appears to be getting tighter. What used to be a concern only for corporate legal counsel and network administrators has grown to also be the focal point of executive and boardroom discussions. The government is mandating what would otherwise be general information technology best practices to force businesses to protect customer information and prevent corporate misdeeds. Businesses are often expected to have effective information security infrastructures in place—and the task of implementing such an infrastructure is not simple. These new government regulations have ushered in a new era for running a business. Information technology professionals and business executives are now faced with many questions about how to effectively manage information technology and stay out of legal trouble. General information security safeguards that are put in place and revisited once a year for the sake of compliance are not an effective way to manage these new regulatory challenges. Information security products in and of themselves are not the only solution either. What is required is a strong combination of policies, business processes, and technologies that are understood and supported not only by the executives and information technology staff but also by every employee. This recipe for success, combined with recent information security product innovations, has made the process of getting people and technology to work together to improve information security much easier. Business executives and information technology professionals that embrace a philosophy and culture of information security and lead by example can and will be successful during these challenging times of trying to balance compliance with information risks and business goals. Fortunately, positive side effects of solid information security leadership are enhanced information risk mitigation and ongoing government compliance. One of the best ways for organizations to manage these issues and implement proper solutions is to educate themselves. However, with so many scattered resources available, it is difficult to sort through them to discover what really needs to be done. In this guide, Rebecca Herold has done an excellent job of presenting the essential information required. Her coverage of what information technology professionals and business executives really need to know and her practical solutions are worth their weight in gold. Kevin Beaver, CISSP i Copyright Statement © 2004 Realtimepublishers.com. All rights reserved. This publication contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com. (the ‘Materials’) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED ‘AS IS’ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com or NetIQ Corporation. In no event shall Realtimepublishers.com or NetIQ Corporation be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part. The Materials may contain trademarks, services marks and logos that are the property of third parties. Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. ii Contents Foreword The Executive Guide to Securing Assets Identifying Critical Infrastructure Systems and Information Assets Why Are Assets Important? Effectively Secure IT Assets by Leveraging Business Operations Management Solutions Enterprise-Wide Security Security Governance and Business Operations Implementation Improving Profitability Through People and Technology Incorporating IT Management and Security into the Enterprise Mission, Goals, and Processes Balancing IT Security Activities with Business Assets and Operations Securing the Complete Enterprise Simplify Security to the Amount Necessary to Support Business Bringing IT Value to Business Units Using Leading Practices to Simplify the Information and IT Security Process Implementing Service-Driven Security Controls Using IT Operations Frameworks for Service-Driven Controls Looking at Internationally Implemented Frameworks Building an Asset Security Roadmap Putting it All Together Summary 6 6 7 7 8 8 9 i 1 1 2 2 3 3 4 4 5 5 5 5 iii The Executive’s Guide to Securing Assets Keeping your information technology (IT) systems and information secure in the face of constant changes in hardware, software, threats, and regulations can seem like an impossible task. You must constantly monitor and evaluate asset security controls effectiveness in addition to monitoring regulatory and contractual security requirement compliance. To be effective, you must implement IT controls in context with your entire organization assets. Consider the following: • The number of security- and privacy-related laws and regulatory requirements is growing more quickly than ever before. Multiple countries, including the United States government at the federal and state level, have already passed several laws that impact how organizations must address security and privacy issues. • Information security historically was treated primarily as a technology issue within most organizations. However, today, the CIO or CISO alone cannot address all information security issues and requirements; information security must be considered with a fresh perspective as part of the overall, larger business governance process. • Information security progress will suffer without a governance framework that documents and instructs personnel at all levels of the organization. Without an appropriate framework, it is difficult to ensure that all aspects of security are completely and consistently addressed and integrated with the organization’s business. Identifying Critical Infrastructure Systems and Information Assets Critical infrastructures are those systems and assets, including physical and electronic, that are so vital to your organization that if they were incapacitated or destroyed, they would have a debilitating impact upon your business. Every day thousands of unauthorized attempts are made to intrude into the computer systems of major government and industry networks—such as defense facilities, power grids, financial institutions, healthcare systems, government agencies, telephone systems, and transportation systems. Although many of these attempts fail, some gain systems administrator rights, crack passwords, plant malicious code and sniffers to copy transactions and sensitive files, or insert trapdoors to permit an easy return into the system. Organizations are vulnerable to such attacks because of how dependent virtually all are upon computer networks for many essential business services. Businesses have become dependent upon technology systems; but, most have paid little attention to protecting those networks. Water, electricity, gas, communications (voice and data), rail, aviation, financial, healthcare, manufacturing, and other critical functions are directed by computer controls over vast information systems networks. 1 Why Are Assets Important? The Gartner Group reported that approximately 40 percent of business applications downtime is caused by operational errors, another 40 percent is caused by application errors (most often misconfigurations), and the remaining 20 percent is caused by actual platform problems, including the network, operating system (OS), or hardware (Source: Lanowitz, Theresa; Tearing Down the Wall, Gartner Group, 2002). Such downtime impacts businesses more than it ever has before. Network systems components now support an extended network of customers, business partners, and related applications. IT professionals must constantly monitor and maintain systems to provide for sufficient (typically 24 _ 7 continuous) availability and service levels. The cost of human resources is also on the rise. Meta Group estimates that by 2006 and 2007 IT salaries will escalate, putting labor costs at 55 percent to 60 percent or more of , the IT budget. (Source: Passori, Al, Maria Schafer; Base Hit: IT Organization Field of Dreams, Meta Group, 24 May 2004). IDC estimates that acquiring and maintaining one IT staff person costs between $110,000 to $120,000 annually in U.S. currency (Source: Michael Boyd, Ph.D., International Data Corp., in Business Finance, May 2000). Increased processing complexity, the need for consistent and continuously reliable service levels, and increased labor costs all compound the need for securing assets to ensure that they are accurate, available, and confidential where necessary. Disruptions in service will result in increased costs to the customer in addition to operational deficiencies and increased costs to the business. A strong operational business framework that incorporates appropriate information and technology security is necessary for business success. Effectively Secure IT Assets by Leveraging Business Operations Management Solutions Organizations can leverage a variety of service management solutions to manage the people and processes associated with problem, incident, or change management. Unfortunately, there are no such systems that provide a comprehensive solution that extends to the human and technology levels. What then results is the IT organization has little insight or control over tracking the progress of business activities, knowing whether business activities have been completed, or identifying the persons who are performing business tasks—or even if the persons performing the tasks are the appropriate ones to do so. As a result, gaps exist between service management systems and the business service delivery processes supporting the underlying operational infrastructure, creating inefficiencies of personnel and technology, and putting assets at risk. 2 Enterprise-Wide Security The typical organization structure virtually separates business operations from technology and related security operations. As a result, the IT organization has no insight into the business requirements or activities, and the business units have little understanding about all the activities, processes, and technologies necessary to help ensure business information asset security. Significant gaps then exist between the activities business unit leaders take to secure information and technology assets, and the activities that the IT organization has established, or believes are occurring, to sufficiently protect these assets. Such gaps leave organizations at significant risk for becoming victims of the multiple IT threats that exist in today’s cyber environment, which could ultimately lead to devastating business loss or failure for the organization. Business unit leaders must understand the role security has throughout the organization. Such security education is one of the pillars of best security practices. As a result of this highly decentralized, autonomic method of establishing business operations, the organization’s centralized IT support areas were, and are, often not included in important business discussions for new information handling and processing plans within the decentralized business operations. Unfortunately, this disjointed method of managing diverse business units has resulted in gaps that put information and technology at risk. Successfully securing information and technology assets requires the elimination of friction between IT and business operations through training, awareness, ongoing communications, and the incorporation of IT into all business unit decisions and plans as well as business unit input into all major IT decisions and plans. Security Governance and Business Operations Implementation Organizations are starting to realize the need to implement a service delivery strategy to ensure appropriate implementation of tools and processes between business units and IT support areas. Such a strategy will close the gaps between business unit management and technical support and service delivery. Remember that business objectives must guide IT objectives and processes; IT must define and manage mutually agreed upon service levels specific to each business unit; IT service delivery must address the human side of IT by tracking, guiding, and implementing actions throughout the entire infrastructure; IT infrastructure includes all processing components, including servers, applications, databases, networks, monitoring and reporting tools. 3 Improving Profitability Through People and Technology Organizations must focus on the people and policies that support IT. Historically, consideration of how personnel actions affect service delivery and management did not occur. Implementing procedures that are consistent, enterprise-wide, and efficient will empower the IT organization with the tools and means to guide and manage their actions with full consideration of business impact, create greater accountability, and ensure improved reliability, efficiency, and security for the IT infrastructure. Ultimately, the IT area will be able to maintain and grow profit margins for the organization while creating tangible, observable value for enterprise management as well as develop alignment between business objectives and IT service delivery. Identify significant assets, interdependencies, and vulnerabilities of critical information networks, then develop and implement realistic programs to remedy the vulnerabilities while continuously updating the assessment and remediation effort. Incorporating IT Management and Security into the Enterprise Mission, Goals, and Processes Many, if not most, IT systems are highly vulnerable to intrusions, especially those assisted by, or performed by, insiders. Unauthorized intrusions occur frequently despite the widespread use of firewalls and password systems. Effective management of information and IT is necessary for the business success of the organization. The criticality of IT is created by the: • Increasing dependence of business operations on information and the systems that deliver the information • Increasing number of IT and human vulnerabilities and threats • Scale and cost of the current and future business investments in information and information systems • Potential for technologies to dramatically change organizations and business practices, create new opportunities, and reduce costs 4 Balancing IT Security Activities with Business Assets and Operations Organizations must always keep in mind that the primary goal of technology is to support the business. A critical goal of IT security is to protect business assets. To effectively do so, business needs must be balanced with IT security. Care must be taken to ensure IT security does not have a negative impact on business. To balance IT security with business processes to effectively secure assets, organizations must perform a risk assessment. Securing the Complete Enterprise It is critical for the entire enterprise to be considered when securing information and systems assets. Organizations should apply physical, technical, and procedural security consistent with basic risk management principles. Security standards should provide uniform degrees of protection for information assets throughout the enterprise. Decisions to adopt special protection safeguards should be based upon risk management analysis of the value of the asset, the threats and vulnerabilities, and the costs of protection. Organizations must ensure that no critical systems or assets are left unprotected. IT must ensure that all vulnerabilities identified during the risk assessment are adequately addressed in ways that continue to support and promote business operations. Simplify Security to the Amount Necessary to Support Business IT service management must deliver and support IT services that are implemented directly to support the organization’s business requirements. It is essential that an organization’s IT services support core business activities as well as facilitate change as businesses evolve and compete globally. IT must become a primary stakeholder in the business decision-making process. To be successful, IT and business unit management must work together to implement a process by which IT always considers business operations when making decisions, and likewise, business units always consider IT issues when making business service and product decisions. Documenting the Compliance and Risk Management Process IT must focus on directly supporting the business objectives of the organization and emphasizing the business value IT provides to successfully establish credibility and elevate strategic impact within the enterprise. IT staff will enable new ways of doing business and will be better managed when they are involved with and are seen as an important business success contributor to the development and execution of critical business strategies. IT must demonstrate how its services make specific, tangible, 5 and critical contributions to achieving business goals. IT groups must also show how they are achieving the levels of security, efficiency, reliability, and nimbleness that businesses need. Using Leading Practices to Simplify the Information and IT Security Process Organization management must decide the amount of resources to reasonably invest for IT security and controls throughout the enterprise and balance the control and risk investments within what is a typically unpredictable IT environment. Management has an important task in determining the level of risk they are willing to accept. To assist management with this difficult decision, generally accepted IT security and control standards and leading practices can be used to benchmark the organization’s existing and planned IT environment. Two of the most popular sets of worldwide control standards include ISO 17799 and COBIT. ISO 17799 is used primarily by security practitioners and contains recommendations for 10 primary areas of security concern. COBIT is used primarily by auditors, but it is also employed by managers and end users, and includes four domains containing recommended control objectives and processes for security assurance. Organizations can use the most applicable standards common across the standards as a basis for information governance controls. Implementing Service-Driven Security Controls After identifying information assets, threats, and controls, use an ongoing process to automatically address as many security issues as possible through the most efficient ways available. Incorporate IT security into the IT governance framework to successfully secure information assets: • Relate security issues to business processes and products • Define the role the IT service Help desk will have with regard to security • Make ongoing security management a sustainable consistent process • Measure security controls’ effectiveness and management awareness • Stay aware of new security risks and related security monitoring tools and techniques 6 Using IT Operations Frameworks for Service-Driven Controls Using an IT operations framework to implement service-driven security controls will not only facilitate the management and operation of the IT infrastructure but also effectively incorporate security activities into the business processes. An IT operations framework can be applied within organizations of all sizes. Internationally used IT operations frameworks have grown in popularity from when they were first introduced in the 1980s. At that time, technologies were expanding out through organizations that were formally mainframe-centric and quickly becoming decentralized and distributed throughout all business units. These business units often took it upon themselves to install and use their own file servers and mini-systems. As a result of this lack of centralized oversight and standardization of OSs and practices, turmoil, problems, and inefficiencies often occurred. The use of IT operations frameworks helped to address the many concerns. ITIL is now the most widely accepted approach to IT service management in the world. ITIL current library provides a comprehensive and consistent set of best ’s practices for IT service management to help ensure quality and achieve business effectiveness and efficiency when using IT. Looking at Internationally Implemented Frameworks The United Kingdom government’s Central Computer and Telecommunications Agency (CCTA) originally created ITIL in 1989 to advise government agencies about how to make best use of technology. ITIL was created as a series of books describing how to effectively and consistently deliver IT services by following best practices. The core of the approach was to apply established principles of management science to mass usage IT. The Microsoft Operations Framework (MOF) was first introduced in 2000. MOF combines the ITIL standards with specific guidelines for using Microsoft products and technologies in addition to extending the ITIL code of practice to support distributed environments and industry trends such as application hosting and Web-based transactional systems. 7 Building an Asset Security Roadmap Information security standards—such as ISO 17799, control objectives—such as COBIT, and IT operations frameworks—such as ITIL, can be combined to successfully incorporate IT asset protection into organization-wide asset protection. Incorporating such best security and control practices into the management framework will put security in context with the rest of the business processes and will in effect create an asset security roadmap. Putting it All Together To begin putting all of this information into practice, start by looking at more detail within each of the ITIL disciplines. As you look within the disciplines, map each of the applicable COBIT controls and ISO17799 security standards. The ITIL components for mapping include: • Configuration Management • Incident and Problem Management • Change Management • Service/Help Desk • Release Management • Service Level Management • Capacity Management • Continuity Management, Disaster Recovery and Business Continuity • Availability Management • IT Financial Management 8 Summary When incorporating security and controls into an IT governance framework, consider the following: • What is your organization required to do? • What is your organization afraid not to do? Based upon risk assessment results, recent incidents, both internal and at other organizations, and so on. • Do the roles and responsibilities clearly document security responsibilities? • How can the organization accomplish the security objectives in harmony with business objectives? • What metrics and audit activities does the organization need to implement? • How can the organization effectively achieve IT security objectives? • What adjustments does the organization need to make? Organizations can use ISO 17799, COBIT, and ITIL in unison to effectively protect IT and information assets based upon an internationally accepted IT management framework and security controls. 9 The Executive’s Guide to Securing Assets offers just a glimpse of the issues that you, as an executive, face in terms of securing assets for your organization. Register today to receive the entire series of Executive Guides to Compliance and Security Risks. These informative books will provide you with expert advice on how to assure compliance, secure your assets and manage risks associated with your IT infrastructure. The series includes: Book 1: The Executive’s Guide to Assuring Compliance Book 2: The Executive’s Guide to Securing Assets Book 3: The Executive’s Guide to Managing Risks Register today at www.netiq.com/go/execguide to download the full series of Executive Guides and discover how to implement effective security information programs that protect your organization. 10 Contacts Worldwide Headquarters NetIQ Corporation 3553 North First Street San Jose, CA 95134 713.548.1700 713.548.1771 fax 888.323.6768 sales info@netiq.com www.netiq.com NetIQ EMEA +44 (0) 1784 454500 info@netiq.com NetIQ Japan +81 3 5909 5400 info-japan@netiq.com www.netiq.com/japan NetIQ Australia & New Zealand 61 (0) 2 9925 2100 www.netiq.com/au For our offices in Latin America & Asia Pacific, please visit our web site at www.netiq.com/contacts © 2004 NetIQ Corporation, all rights reserved. All other company and product names may be trademarks or registered trademarks of their respective companies. PG50108EGAC MD 1204 THE EXECUTIVE’S M A N A G I N G GUIDE R I S K S TO Foreword In the technology-centric environment in which we work today, the ability to manage information risks is yet another critical requirement for business success. Creating an even more challenging environment, the government regulates almost every aspect of running a business. These two issues combine to create substantial responsibilities on the part of business executives and information technology professionals. From the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act in the United States to various international privacy and security laws, regulations have quite a grip on information technology—and that grip appears to be getting tighter. What used to be a concern only for corporate legal counsel and network administrators has grown to also be the focal point of executive and boardroom discussions. The government is mandating what would otherwise be general information technology best practices to force businesses to protect customer information and prevent corporate misdeeds. Businesses are often expected to have effective information security infrastructures in place—and the task of implementing such an infrastructure is not simple. These new government regulations have ushered in a new era for running a business. Information technology professionals and business executives are now faced with many questions about how to effectively manage information technology and stay out of legal trouble. General information security safeguards that are put in place and revisited once a year for the sake of compliance are not an effective way to manage these new regulatory challenges. Information security products in and of themselves are not the only solution either. What is required is a strong combination of policies, business processes, and technologies that are understood and supported not only by the executives and information technology staff but also by every employee. This recipe for success, combined with recent information security product innovations, has made the process of getting people and technology to work together to improve information security much easier. Business executives and information technology professionals that embrace a philosophy and culture of information security and lead by example can and will be successful during these challenging times of trying to balance compliance with information risks and business goals. Fortunately, positive side effects of solid information security leadership are enhanced information risk mitigation and ongoing government compliance. One of the best ways for organizations to manage these issues and implement proper solutions is to educate themselves. However, with so many scattered resources available, it is difficult to sort through them to discover what really needs to be done. In this guide, Rebecca Herold has done an excellent job of presenting the essential information required. Her coverage of what information technology professionals and business executives really need to know and her practical solutions are worth their weight in gold. Kevin Beaver, CISSP i Copyright Statement ©2005 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com, Inc. (the “Materials”) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtimepublishers.com, please contact us via e-mail at info@realtimepublishers.com. ii Contents The Executive’s Guide to Managing Risks Managing Risks Throughout the Organization Who Are Your Stakeholders? What Are Your Value Drivers? Defining Vulnerability and Threat Defining Risk Identifying Assets at Risk Identifying Asset Values and Impacts What Is an Information Security Event? Common Risk Reduction Models Basel II COSO ISO Guide 73 NIST Special Publication 800-30 Be Strategic When Managing Risk Building a Risk Management Roadmap Step 1: Identify Events Step 2: Identify Assets Step 3: Identify Threats Step 4: Identify Impacts Step 5: Produce Risk Reduction Plans Step 6: Follow Up and Verify that Actions Have Occurred Summary 1 1 2 2 2 3 3 3 4 4 4 5 5 5 5 6 6 6 6 6 7 7 7 iii The Executive Guide to Managing Risks Every organization has a mission. Most, if not all, organizations use information technology (IT) to process their information in support of their missions and reaching their business goals. Managing risks associated with the information and supporting technologies is a critical factor in successful organizational mission realization. Executive management must visibly and actively support the IT security risk management component of the complete business risk management process. This sponsorship is vital to ensure that stakeholders do not resist or undermine efforts to use risk management to make the organization more secure and protect the health of the organization. Without this clear executive sponsorship, personnel tend to disregard the directives, policies, and procedures for how to perform their job responsibilities and duties in a secure manner to protect information and technology assets. Highly publicized incidents, such as the Enron collapse and the Tyco tax evasion investigation, have resulted in making risk management a requisite management activity within all business enterprises. Managing risk through the use of effective risk management frameworks will ensure efficiency and comprehensive risk consideration. Effective risk management frameworks describe an organization’s specific set of functional business activities and associated definitions that specify the processes that will be used to manage risks. Managing Risk Throughout the Organization The objective of managing organization risk is carried out by a specified set of processes defined in a risk management framework. The objective is supported by the organization’s risk management system and defined within roles and responsibilities. Risk management should be a line management function not a staff function. It is a management activity and is integral with decision-making. As Peter Drucker, celebrated “father of modern management” puts it, “a decision that does not involve risk, probably is not a decision. ” Organizations must direct and manage IT activities to reach an effective balance between managing risks and realizing business benefits. All business activities are performed under some degree of risk. Effective business management that incorporates information security risk management will help to avert threats and reduce potential harm to the organization. 1 Key indicators of effective risk management activity in an organization are: • • • • • • • Visible support and commitment of senior management Risk controls and programs that are ubiquitous in the organization and well understood A documented risk profile that establishes priorities for modifying risk controls Effective risk communication for employees and other stakeholders Monitor and review of performance indicators of the organization’s risks Knowledge and documentation of all legal and regulatory requirements An ongoing, repeatable process that is integrated into the organization’s culture Who Are Your Stakeholders? The first step in addressing the organization’s information security risks is to identify the key business stakeholders. Stakeholders can be any person, group, or entity that can place a claim on the organization’s attention, resources, or output or that is affected by that output. Stakeholders in a corporation are those persons or entities that bear some form of risk as a result of having invested some type of capital—human or financial—that is placed at risk as a result of the organization’s activities or have regulatory authority over that organization. Stakeholders may be internal or external. What Are Your Value Drivers? As defined by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission within their Enterprise Risk Management (ERM) framework, a value driver is “a measure of the strategies, processes, activities, or assets that create value and whether they are being utilized in a manner that creates sustainable value. Typical ” stakeholder value drivers include increasing revenue growth, lowering the cost structure of the business, and ensuring the continuity of operations. Defining Vulnerability and Threat Vulnerabilities are weaknesses associated with organizational assets. Vulnerability is a condition or set of conditions that may allow a malicious or accidental threat to affect an asset, either with greater frequency, greater impact, or both. A vulnerability that cannot be exploited by a threat is not harmful to the asset. Vulnerability is a characteristic of an information asset or group of information assets that can be exploited by a threat. A threat is the potential cause, in one of many forms, of an unwanted event that may result in harm to information assets. Threats can be acts of nature, intentional or accidental. A threat could result in destruction of an asset, corruption or modification of an asset, theft, removal or loss of an asset, disclosure of an asset, use or acceptance of an illegal asset, or interruption of services. If a threat can trigger a vulnerability, the system is at risk. A threat would need to exploit the vulnerability in order to successfully cause harm. 2 Defining Risk According to the ISO/IEC (2002) Guide 73, risk is defined as a “combination of the probability of an event and its consequences” and a “combination of the extent to which an occurrence of a particular set of circumstances is likely to occur and its outcome. Risk ” is the potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset or group of assets, and directly or indirectly affect the organization. The security risk level is determined from the combination of the asset values and assessed levels of related threats and associated vulnerabilities. Organizations must manage risks and safeguard their operations to effectively manage and protect information assets. Some risks cannot be avoided completely; there will always be some residual risk. The risk remaining after the implementation of new or enhanced controls is the residual risk. Practically no IT system is risk free, and not all implemented controls can eliminate the risk they are intended to address or reduce the risk level to zero. Identifying Assets at Risk Assets include all the information and supporting items that an organization requires to conduct business. Examples of such assets include, but are not limited to: • Information or data such as files containing payment details, voice records, image files, product information, manuals, and continuity plans • Paper documents such as contracts and completed forms • Software such as system software, application software, development tools, and utilities • Physical equipment such as computer and communications equipment, magnetic media, other technical equipment such as medical equipment and environmental equipment, and furniture • Services such as computing and communications services, service providers, and utilities • People and their knowledge, including technical, operational, marketing, legal, and financial experts; contractors and consultants; and outsourced providers • Image and reputation of the organization Identifying Asset Values and Impacts Organizations need to know asset values in order to identify the appropriate protection for assets and to determine the importance of the assets to the business. These values can be expressed in terms of the potential business impacts of negative events affecting loss of confidentiality, integrity, and/or availability. Potential impacts include financial losses and loss of revenue, market share, or image. 3 The dependencies of assets on other assets must also be considered because this dependence influences the values of the assets. For example, a seemingly less-important information system may require more protection if another mission-critical information system depends on the less important system’s results. What Is an Information Security Event? In the context of information security risk, events are basically bad occurrences or incidents that cause trouble for business information and/or technology. An event is an incident or situation that occurs in a particular place during a particular interval of time. Information security events that are likely to be common across many organizations include, but are not limited to: • • • • • • • • • • Theft Fraud Malicious code attack Acts of nature, vandals, and terrorists IT component failure Hacking DoS attacks Unauthorized disclosure Breaking the law Breach of contract Common Risk Reduction Models Once an organization has identified risks, threats, vulnerabilities, assets, and impacts, a risk reduction plan must be implemented. Many risk reduction models already exist. It will save time for organizations to use these existing best practice examples of risk reduction models as a basis for their own risk management framework. Additionally, executives, especially those who don’t want to be trailblazers, will more likely support the plan if a proven framework is used. Just a few of the existing models are discussed in the following sections. Basel II Basel II provides details for principally banking organizations to adopt risk-sensitive minimum capital requirements and reinforces the risk-sensitive requirements by detailing the principles for banks to use to assess the adequacy of their capital and for supervisors to use to review these assessments to ensure that banks have adequate capital to support their risks. Basel II text can be obtained from http://www.bis.org/publ/bcbs107 .htm. 4 COSO The COSO ERM framework defines essential ERM components, discusses key ERM principles and concepts, suggests a common ERM language, and provides direction and guidance for ERM. The COSO guide can be downloaded from http://www.coso.org/. ISO Guide 73 ISO Guide 73 provides definitions for vocabulary associated with risk management with the intent of developing common understanding and consistent use of the terminology throughout the world. The ISO Guide 73 can be purchased and downloaded from http://www.bsiglobal. com/Environmental/Risk/pdisoiec.xalter. NIST Special Publication 800-30 The National Institute of Standards and Technology (NIST) Risk Management Guide for Information Technology Systems provides guidelines that were created for use by United States federal organizations and provide a foundation for the development of a risk management program. NIST SP 800-30 can be downloaded from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf. NIST also has draft library of controls based on a system’s sensitivity rating in NIST SP 800-53. You can view it at http://csrc.nist.gov/publications/drafts.html#sp800-53. Be Strategic When Managing Risk Strategic information security risk management planning should accomplish the following objectives: • Identify the specific risks the risk program will focus critical resources on managing. Determine the risk management capabilities (processes, investments, resources, and related activities) that will be required. Determine how the resources will be coordinated across the enterprise. • Determine how the risk program will measure the results and demonstrate the value of risk management processes, investments, resources, and related activities. • Determine the goals of the risk program. Document how the risk program will benefit the organization and the key stakeholders. 5 Developing a well thought out strategic information security risk management plan will provide many organizational benefits: • Information gathering during strategic planning will provide an excellent opportunity to interview and receive input from enterprise leaders while allowing them to participate in the development of the risk program and buy into the outputs of the strategic plan. • Enables the organization to rationalize current and future activities, investments, and hiring plans • Enforces professionalism and discipline around the budgeting process • Provides a way to communicate the vision for the risk program to staff, team, partners, management, and other key stakeholders • Demonstrates due-diligence • Reduces potential political decisions Building a Risk Management Roadmap The process of producing the risk management roadmap can be described in terms of a series of steps. Step 1: Identify Events Name each risk event and briefly describe it. Use the list of information security events listed earlier as a starting point, then add to it based upon the unique organizational environment. Step 2: Identify Assets Start with a generic list that includes the items listed earlier. Add to this list and otherwise modify it as necessary, the idea being to derive the assets that require protection from the analysis rather than the other way round (which, unfortunately, is the typical way of carrying out a risk assessment). Use business continuity planning, acquisition, and other business processes to help identify the assets. Step 3: Identify Threats Choose from the list of threats described earlier and add to them with organization-specific threats as applicable. Step 4: Identify Impacts Start with the standard impacts described earlier and add to them with organization-specific impacts as required. 6 Step 5: Produce Risk Reduction Plans Produce a risk-reduction plan for each identified risk event. Repeat the following steps until all the impacts have been addressed: • • • • Identify the risks leading to each impact for known threats Identify the risks leading to each impact for unknown, but possible, threats Address unacceptable residual risks Incorporate the controls and make the control structure as functional as possible Step 6: Follow Up and Verify that Actions Have Occurred Once all the risk treatment plans have been developed, do some verification to ensure that nothing has been overlooked; ensure that • All the assets in the asset inventory have been used and risk reduction activities applied. If any are left over, document why they were not used and remove them from the inventory if applicable. • All the impacts in the impact list have been addressed. • All the threat agents in the threat list have been addressed. • All event-impact pairs have been addressed. • All risks are identified as being an acceptable or unacceptable risk, and document why. • All control failures have been considered and addressed. • All unacceptable residual risks have been addressed and identified improvements or compensating controls have been implemented. Summary Risk management is a central part of every organization’s strategic management. Crucial to implementation of a successful information security risk management program is the ability to identify and protect critical information assets based upon the business mission and goals. A successful information security risk management program is the enabler needed to make the implementation successful. The successful management of information security projects continues to increase in strategic significance for the competitiveness of organizations. IT is an essential part of most projects. Even traditional business processes cannot survive without electronic data processing. The risks connected with the implementation of IT projects constitute a substantial part of the operational risks within an enterprise and must be adequately and efficiently addressed. 7 The Executive's Guide to Managing Risk offers just a glimpse of the issues that you, as an executive, face in terms of mitigating risk for your organization. Register today to receive the entire series of Executive Guides to Compliance and Security Risks. These informative books will provide you with expert advice on how to assure compliance, secure your assets and manage risks associated with your IT infrastructure. The series includes: Book 1: The Executive’s Guide to Assuring Compliance Book 2: The Executive’s Guide to Securing Assets Book 3: The Executive’s Guide to Managing Risks Register today at www.netiq.com/go/execguide to download the full series of Executive Guides and discover how to implement effective security information programs that protect your organization. 8 9 Contacts Worldwide Headquarters NetIQ Corporation 3553 North First Street San Jose, CA 95134 713.548.1700 713.548.1771 fax 888.323.6768 sales info@netiq.com www.netiq.com NetIQ EMEA +44 (0) 1784 454500 info@netiq.com NetIQ Japan +81 3 5909 5400 info-japan@netiq.com www.netiq.co.jp NetIQ Australia & New Zealand 61 (0) 2 9925 2100 www.netiq.com.au For our offices in Latin America & Asia Pacific, please visit our web site at www.netiq.com/contacts © 2005 NetIQ Corporation, all rights reserved. All other company and product names may be trademarks or registered trademarks of their respective companies. PG50108EGAC MD 0205