1. Governance1 Governance and Policy Tim Shimeall March 2006

2. Governance2 Addressing Security as Governance Set of beliefs, capabilities, actions: –Security enacted at enterprise level –Security treated as business requirement –Security considered during normal planning cycles –All business unit leaders understand how security serves as business enabler –Security integrated into enterprise functions and processes –All personnel accessing enterprise network understand their responsibilities Which are most important depends on culture and business context

3. Governance3 Setting clear expectations of conduct Influencing to achieve expectations Decision making –Assigned decision rights –Accountability –Intended to produce behavior/actions Ensuring organization does right things and does things right

4. Governance4 Security as Institutional Priority Information security is a human enterprise –“lack of security awareness by users” cited as top obstacle –overriding impact of human complexities, inconsistencies, and peculiarities People can become the most effective layer in an organization's defense-in-depth strategy –with proper training, education, motivation The first step is making sure they operate in a security conscious culture. Ernst & Young. "Global Information Security Survey 2004." http://www.ey.com/global/download.nsf/UK/Survey_- _Global_Information_Security_04/$file/EY_GISS_%202004_EYG.pdf

5. Governance5 Response Time Hours Weeks or months Days Minutes Seconds Human response: difficult/impossible Automated response: possible Human response: impossible Automated response: Will need new paradigms Proactive blocking: possible Contagion Timeframe File Viruses Macro Viruses e-mail Worms Blended Threats “Warhol” Threats “Flash” Threats Human response: possible

6. Governance6 What Is At Risk? –Trust –Reputation; image –Stakeholder value –Community confidence –Regulatory compliance; fines, jail time –Customer retention, growth –Customer and partner identity, privacy –Ability to offer, fulfill transactions –Staff, client morale

7. Governance7 Responsibility to Protect Digital Assets In excess of 80 percent of an organization’s intellectual property is in digital form Duty of Care: Governance of Digital Security –Govern institutional operations & conduct –Protect critical assets and processes –Protect reputation –Ensure compliance requirements are met [Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law]

8. Governance8 Barriers to Tackling Security Abstract, concerned with hypothetical events A holistic, enterprise-wide problem; not just technical No widely accepted measures/indicators Disaster-preventing rather than payoff- producing (like insurance) Installing security safeguards can have negative aspects

9. Governance9 Information Survivability (1) Focuses on sustaining the mission in the face of an ongoing attack; requires an enterprise-wide perspective Depends on the ability of networks and systems to provide continuity of essential services, albeit degraded, in the presence of attacks, failures, or accidents Requires that only the critical assets need the highest level of protection

10. Governance10 Information Survivability (2) Complements current risk management approaches that are part of an organization’s business practices Includes (but is broader than) traditional information security Business Judgment Rule: That which a reasonably prudent director of a similar institution would have used

11. Governance11 Shift the Security Perspective Institutional Investment Integrated Institution Process Institutional continuity/resilien ce Scope:Technical Ownership:IT Funding: Expense Focus:Intermittent Driver:External Application: Platform/practice Goal:IT security ToFrom

12. Governance12 Technical problem to Institutional problem IT owns problem and strategy, performs primary activities Secure infrastructure = secure organization Organization owns problem and strategy Secure assets and processes = secure organization to

13. Governance13 Technical ownership to Institutional ownership IT is driver, owner, benefactor CSO is a technical advisor Organization is driver, owner, benefactor CSO is trusted advisor to business to

14. Governance14 Expense to investment Security activities viewed as sunk costs, expenses Naturally avoided by management Security as amortizable investment in business Security as “goodwill” on balance sheet raising organizational value to

15. Governance15 IA Regulations and Standards National legislation (privacy, etc.) Insurance industry requirements Customer demand E-torts and e-pacts

16. Governance16 Legal Perspective Analyze applicable state laws and municipal ordinances Assess IS vulnerabilities and risks Review and update IS policies & procedures Review policies & procedures for sensitive information Scrutinize relationships with third-party vendors Review insurance policies Develop a rapid response plan & incident response team Work with associations & coalitions to develop standards “IT Security for Higher Education: A Legal Perspective.” Salomon, Kenneth; Cassat, Peter; Thibeau, Briana. Dow, Lohnes & Albertson, PLLC. EDUCAUSE/Internet2 Computer and Network Security Task Force, 2003. http://www.educause.edu/ir/library/pdf/csd2746.pdf http://www.educause.edu/ir/library/pdf/csd2746.pdf

17. Governance17 Practice-driven to process-oriented Willingness to accept and implement “best practices” Practices as process Possibly out of context with organizational drivers Security is proactive and managed Driven by risk management to

18. Governance18 Shifting the security approach  irregular  reactive  immeasurable  absolute Ad-hoc and tactical  systematic  adaptive  measured  adequate Managed and strategic to

19. Governance19 How Are You Managing Information Risks? Policies, governance Critical information assets Who to involve Management controls Sustain survivability

20. Governance20 Security to Resiliency Managing to threat and vulnerability No articulation of desired state Possible security technology overkill Managing to impact and consequence Adequate security defined as desired state Security in sufficient balance to cost, risk to

21. Governance21 A Resilient Institution Is Able To... withstand systemic discontinuities and adapt to new risk environments be sensing, agile, networked, prepared dynamically reinvent institutional models and strategies as circumstances change have the capacity to change before the case for change becomes desperately obvious

22. Governance22 Security Strategy Questions What needs to be protected? Why does it need to be protected? What happens if it is not protected? What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action? How do we effectively manage the residual risk?

23. Governance23 Defining Adequate Security The condition where the protection strategies for an organization's critical assets and processes are commensurate with the organization's risk appetite and risk tolerances Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management Integrated Framework, September, 2004.

24. Governance24 Determining Adequate Security Depends On... Organizational factors: size, complexity, asset criticality, dependence on IT, impact of downtime Market factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc.

25. Governance25 Adequate Security and Operational Risk “Appropriate security is that which protects the organization from undue operational risks in a cost-effective manner.” “With the advent of regulatory agencies assessing a organization’s aggregate operational risk, there needs to be a way of looking at the organization as a whole rather than its many parts.”

26. Governance26 Evolving the Security Approach Incident Response Process Maturation Vulnerability Management Security Risk Management Institutional Security Management

27. Governance27 High Performing Organizations - 1 Apply resources (time, effort, dollars, capital) to accomplish stated objectives, with little to no wasted effort Regularly implement repeatable, predictable, secure, measurable, and measured operational processes Independently evolved a system of process improvement as a natural consequence of their business demands

28. Governance28 High Performing Organizations - 2 Use defined, verifiable controls to improve efficiency and effectiveness –Preventive, detective and corrective controls in place –Easier to audit Detect production variances early –Lowest cost and least impact to fix problems –Fix problems in a planned manner Devote increasingly more time and resources to strategic issues and new opportunities, having mastered tactical concerns

29. Governance29 High Performing Organizations - 3 Demonstrated ability to get IT operations and security organizations working together to create: –Higher service levels (availability, high MTBF, low MTTR, low MTTD) –High percentage of planned (vs unplanned) work –Early integration of security requirements into the service delivery life cycle –The ability to quickly return to a known, reliable, trusted operational state –Unusually efficient cost structures (server-to-sysadmin ratios of 100:1 or greater) –Timely identification and resolution of security incidents

30. Governance30 Areas of Pain for High Performing Organizations Patch management Proliferation of “scorecards” Managing outsourced IT services

31. Governance31 Areas of Pain – Patch Volume –Low performing: Adhoc, chaotic, urgent, disruptive; increase in unplanned work –High performing: Planned, predictable, just another change -> higher change success rate

32. Governance32 Areas of Pain – Proliferation of Scorecards –Low Performing: Look to external sources, authorities; adopt scorecard du jour –High Performing: Have defined their own performance characteristics; can demonstrate traceability to other instruments

33. Governance33 Areas of Pain – Outsourced IT Services Low Performing: Transfer risk; out of sight; then unable to control High Performing: Manage like any other business unit or project; understand unique challenges; develop more bullet proof service level agreement

34. Governance34 Common Root Causes Absence of explicit articulation of current state and desired state –Thus current state (and companion pain) is tolerable; doesn’t hurt enough yet; don’t know that there is an alternative Culturally embedded belief that control is not possible –Abdication of responsibility – “throw up my hands” Rewards/reinforcement for personal heroics vs. repeatable, predictable discipline Continued argument that IT ops and security are different (than other business investments or projects) Desire for a technical solution; easier to justify and implement than people and process improvements

35. Governance35 IT Change Management Process for efficient and timely handling of all IT changes Enterprise capabilities critical to achieving effective change management: −Risk Management −Project Management −Process Management −IT Operations −Security Operations −Audit IIA Global Technology Audit Guide series: Change and Patch Management: Critical for Organizational Success

36. Governance36 Continuously Improving <5% of time spent on unplanned work<5% of time spent on unplanned work Change success rate very highChange success rate very high Service levels world classService levels world class IT operating costs under controlIT operating costs under control Can scale IT capacity rapidly with marginal increases in IT costsCan scale IT capacity rapidly with marginal increases in IT costs Change review and learning processes in placeChange review and learning processes in place Able to increase capacity in a cost- effective wayAble to increase capacity in a cost- effective way Closed-Loop Process 15-35% of time spent on unplanned work15-35% of time spent on unplanned work Some ticketing / workflow system in placeSome ticketing / workflow system in place Changes documented and approvedChanges documented and approved Change success rate highChange success rate high Service levels good Server-to-admin ratio good, but not best-of- breedServer-to-admin ratio good, but not best-of- breed IT costs improving but still too highIT costs improving but still too high Security incidents downSecurity incidents down Using Honor System 35-50% of time spent on unplanned work35-50% of time spent on unplanned work Some technology deployedSome technology deployed Right vision but no accountabilityRight vision but no accountability Server-to-admin ratio too lowServer-to-admin ratio too low IT costs too high Process subverted by talking to the “right” peopleProcess subverted by talking to the “right” people Reactive Over 50% of time spent on unplanned workOver 50% of time spent on unplanned work Chaotic environment; lots of fire fightingChaotic environment; lots of fire fighting MTTR very long; poor service levelsMTTR very long; poor service levels Can only scale by throwing people at the problemCan only scale by throwing people at the problem Progression of Capability ReactiveUsing The Honor System Closed-Loop Change Mgt Effectiveness Continuously Improving Based on the IT Process Institute’s “Visible Ops” Framework Changes control the organization: Organization controls the changes:

37. Governance37 Measurement Performance measurement of an enterprise's security state is conducted with the same rigor as other enterprise functions and business units. Corporate Information Security Working Group: Report of the Best Practices and Metrics Team, December, 2004 –Thirty Information Security Program Elements with companion metrics Governance (7 elements; 12 metrics) Management (10 elements; 42 metrics) Technical (13 elements; 45 metrics)

38. Governance38 Example Measures - Governance Oversee Risk Management and Compliance Programs Pertaining to Information Security –Percentage of key information assets for which a comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds –Percentage of key external requirements for which the organization has been deemed by objective audit or other means to be in compliance

39. Governance39 Example Measures - Management Establish Information Security Management Policies and Controls and Monitor Compliance –Percentage of staff assigned responsibilities for information security policies and controls who have acknowledged accountability for their responsibilities in connection with those policies and controls Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation –Percentage of critical information assets for which some form of risk assessment has been performed and documented as required by policy

40. Governance40 Example Measures - Technical Software Change Management, including Patching –Percentage of systems with the latest approved patches installed –Percentage of software changes that were reviewed for security impacts in advance of installation Incident and Vulnerability Detection and Response –Percentage of operational time that critical services were unavailable (as seen by users and customers) due to security incidents –Percentage of security incidents that exploited existing vulnerabilities with known solutions, patches, or workarounds

41. Governance41 What Does Effective Security Look Like at the Enterprise Level? No longer solely under IT’s control Achievable, measurable objectives are defined and included in strategic and operational plans Functions across the organization view security as part of their job (e.g., Audit) and are so measured Adequate and sustained funding is a given Senior executives visibly sponsor and measure this work against defined performance parameters Considered a requirement of being in business

42. Governance42 Governance and the Case Study What regulations must the convention follow? –Industry –Financial processing –SOX –Venue What best practices should the convention follow?