Saturday, December 15, 2012

Effective vs Ineffective Security Governance

Continuing with my earlier blog on Measuring the Performance of EA, I was looking for methods and measures that can be used for measuring the effectiveness of the security program in an enterprise. I happened to read a CERT article titled as Characteristics of Effective Security Governance which contains a good comparision of what is effective and what is ineffective. I have reproduced it here in this blog for a quick reference. The original article of CERT though out dated is worth reading.

EffectiveIneffective or Absent
Board members understand that information security is critical to the organization and demand to be updated quarterly on security performance and breaches.

The board establishes a board risk committee (BRC) that understands security’s role in achieving compliance with applicable laws and regulations, and in mitigating organization risk.

The BRC conducts regular reviews of the ESP.

The board’s audit committee (BAC) ensures that annual internal and external audits of the security program are conducted and reported.
Board members do not understand that information security is in their realm of responsibility, and focus solely on corporate governance and profits.

Security is addressed adhoc, if at all.

Reviews are conducted following a major incident, if at all.

The BAC defers to internal and external auditors on the need for reviews. There is no audit plan to guide this selection.
The BRC and executive management team set an acceptable risk level. This is based on comprehensive and periodic risk assessments that take into account reasonably foreseeable internal and external security risks and magnitude of harm.

The resulting risk management plan is aligned with the entity’s strategic goals, forming the basis for the company's security policies and program.
The CISO locates boilerplate security policies, inserts the organization's name, and has the CEO sign them.

If a documented security plan exists, it does not map to the organization’s risk management or strategic plan, and does not capture security requirements for systems and other digital assets.
A cross-organizational security team comprised of senior management, general counsel, CFO, CIO, CSO and/or CRO, CPO, HR, internal communication/public relations, and procurement personnel meet regularly to discuss the effectiveness of the security program, new issues, and to coordinate the resolution of problems.CEO, CFO, general counsel, HR, procurement personnel, and business unit managers view information security as the responsibility of the CIO, CISO, and IT department and do not get involved.

The CSO handles physical and personnel security and rarely interacts with the CISO.
The general counsel rarely communicates particular compliance requirements or contractual security provisions to managers and technical staff, or communicates on an ad-hoc basis.
The CSO/CRO reports to the COO or CEO of the organization with a clear delineation of responsibilities and rights separate from the CIO.

Operational policies and procedures enforce segregation of duties (SOD) and provide checks and balances and audit trails against abuses.
The CISO reports to the CIO. The CISO is responsible for all activities associated with system and information ownership.

The CRO does not interact with the CISO or consider security to be a key risk for the organization.
Risks (including security) inherent at critical steps and decision points throughout business processes are documented and regularly reviewed.

Executive management holds business leaders responsible for carrying out risk management activities (including security) for their specific business units.

Business leaders accept the risks for their systems and authorize or deny their operation.
All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.

Business leaders are not aware of the risks associated with their systems or take no responsibility for their security.
Critical systems and digital assets are documented and have designated owners and defined security requirements.Systems and digital assets are not documented and not analyzed for potential security risks that can affect operations, productivity, and profitability. System and asset ownership are not clearly established.
There are documented policies and procedures for change management at both the operational and technical levels, with appropriate segregation of duties.

There is zero tolerance6 for unauthorized changes with identified consequences if these are intentional.
The change management process is absent or ineffective. It is not documented or controlled.

The CIO (instead of the CISO) ensures that all necessary changes are made to security controls. In effect, SOD is absent.
Employees are held accountable for complying with security policies and procedures. This includes reporting any malicious security breaches, intentional compromises, or suspected internal violations of policies and procedures.Policies and procedures are developed but no enforcement or accountability practices are envisioned or deployed. Monitoring of employees and checks on controls are not routinely performed.
The ESP implements sound, proven security practices and standards necessary to support business operations.No or minimal security standards and sound practices are implemented. Using these is not viewed as a business imperative.
Security products, tools, managed services, and consultants are purchased and deployed in a consistent and informed manner, using an established, documented process.

They are periodically reviewed to ensure they continue to meet security requirements and are cost effective.
Security products, tools, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine their ROI or effectiveness.

The organization has a false sense of security because it is using products, tools, managed services, and consultants.
The organization reviews its enterprise security program, security processes, and security’s role in business processes.

The goal of the ESP is continuous improvement.
The organization does not have an enterprise security program and does not analyze its security processes for improvement.

The organization addresses security in an ad-hoc fashion, responding to the latest threat or attack, often repeating the same mistakes.
Independent audits are conducted by the BAC. Independent reviews are conducted by the BRC. Results are discussed with leaders and the Board. Corrective actions are taken in a timely manner, and reviewed.Audits and reviews are conducted after major security incidents, if at all.


The article also lists eleven characteristics of effective security governance in addition to listing the Ten challenges to implementing an effective security governance. I would highly recommend you to read the full article.


References:
CERT’s resources on Governing for Enterprise Security


CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University