ISACA CISM – Domain 03 – Information Security Program Development part 11

81. Managing Complexity Part1

One of the things you can say though, in today’s world is that there’s a lot of complexity within the infrastructure. As the business environments grow, many of your business processes and support functions are going to have to integrate quite seamlessly to be effective. That can be seen as again increasing complexity. Now, I’ve utilized this analogy several times, but it still holds true. If I think about ordering something thing online and I connect to the web. Well, if I don’t want to count the home users PC and the Internet service providers they have to go through to get to my service provider to get to my server, if I don’t want to include that into my complexity, I guess I can leave it out. But there’s a piece of it that we still have to look at. But then for me to make the order, what has to happen? Well, your web server is going to have to probably connect to some back end database server.

That database server will provide information that it can use to show what’s in stock or in inventory and what the prices might be. That back end database server probably also keeps track of my usernames and passwords or it has to integrate with some other type of authentication server to verify who I am when I log in and place my order. I also know that I want my order to be done through encryption. So now I have to have encryption technologies SSL or TLS, which usually means that there has to be a certificate authority that has issued certificates at least to the server. Now that I’ve gotten to that point, if it’s still not complex enough, I’m going to put in the information and give you my credit card. From there, that application has to go out to a banking complex to look at that card to see if I have funds available and then from that to be able to transfer it to its banking account.

So now it’s making multiple bank connections which may be going through several credit card processing centers. Then of course, we have to notify the inventory department to make sure that it’s actually in stock, have it set out to shipping where shipping can then worry about getting it packed up and put onto a shipping server to be able to get that product to my home. All right, so in one little easy transaction, I hope that I’ve described the complexity that we might be talking about and that was just for ordering something off of your web server, not counting all the other type of complexities that are a part of your infrastructure. So that means we have to really provide a framework and a roadmap to be able to make some headway into working or managing with complexity. We often think of the architecture as a way of working for us as that roadmap. Now there are some things we can do to try to break this down we can add simplicity and clarity by layering or adding modularization.

The example might be is if I’m going to build a brand new housing subdivision what do I need to put in? Well I’m thinking that before I have to put in any of the homes I’m going to have to probably put in the sewer system that connects to the city and the water system to connect to the city water. Or however the case may be, I’ll probably have to make sure that our underground lines are there for telephone TV for power to the homes. And once I get that built in then I can worry about laying out the roadworks, the roads and starting the paving on the roads, having people break down again the different lot sizes and then going in from that point forward. So what I’m saying is that a subdivision has some very much complexity to it. But if I approach it in its simplicity and clarity and looking at it layer by layer it’s pretty easy to see it in its totality.

Because I realize that through good planning, through layering, through modularization I can deal with the issues of saying okay, gas lines, water lines, sewer lines, power lines, cable TV get that done. There’s my foundation build on top of from there and it goes hopefully much smoother. Well we can do the same exact type of clarity and layering in our infrastructure design. Now from there of course the other thing that we see in the complexity is the business focus. And when I say that is I’ve really kind of relied on the technical domain in my description. I mean sure we talked about housing tracks but I’m talking about the infrastructure, the network infrastructure. And really to even make it more complex we have to realize that our business focus does go beyond the technical domain of what it is we’re trying to accomplish. And really our technical du lean is designed to help support the business focus.

82. Managing Complexity Part2

Now, having said all of that about complexity, we have to realize that architecture and control objectives are considered in combination of technologies to be able to provide what we call control points within a systems infrastructure. Now remember, this idea of architecture is something that’s, you know, around ten years old and that can act as a framework or help us in providing the roadmap to being able to get to certain goals, especially as we’re talking about security programs. So in that part of it, then when we look at the architecture and we know what our objectives are with the controls, that we know that, as I said, that those things are going to be combinations of technologies, it could be combinations of policies and procedures, but we use them as control points within our system. Now, some examples of the architecture policy domains that you might deal with things like your database management systems.

Your telecommunications, your web applications assets, or being able to access them as well. Again, those are all things we have to look at as far as managing complexity with the web application, I already talked about as an example of having an architecture or control objective to provide encrypted communications. And what we’d have to do to work within that domain of web applications in telecommunications, of its voice over IP, we may have discussions about segmenting the traffic so it can’t be easily intercepted by the people on the data portion of our network. And database management systems have their own authentication systems, their own authorization systems, their own way of breaking down the databases into manageable pieces, and as well as adding control points for security and authorization.

83. Objectives of Information Security Architectures Part1

All right, well, let’s take a look at what the objectives are for the information security architecture. Remember, the underlying idea for the architecture is that the objectives of a complex system has to be something that we can comprehensively define, that we can have precise specifications, and that their structures are going to be engineered and tested to perform and fit and function. Now we’ve, we also know that we have to have the performance monitored or measured according to the design objectives. So then what we’re seeing here, then the objectives of that architecture for information security is trying to help us in solving the complexity issue. But it won’t do that. As I said, unless there is a good definition or a comprehensive definition and precise specifications, it just can’t be a bunch of wandering, ambiguous types of terms.

It has to mean something and be something. I can look at and say, okay, I got it, I see the structures, I can test them, I know what the goals are, I know what the specifications are. Now unfortunately, little exists for an overall comprehensive enterprise security infrastructure or its management as it relates to the business objectives. So this is an area that’s still growing and of course is going to add some work for us in the security management field to be able to relate to complex systems. But it is a beginning to have examples of architectures that we can look at to help us in trying to come up with this kind of a design.

84. Objectives of Information Security Architectures Part2

Now, one of the things we can look at is like the SABSA model. The SABSA, it has six different layers that can help us in assisting in developing a model for an enterprise architecture. In looking at it inside of these different layers, we can look at it and it defines some of the layers as the business view. In the business view, that’s kind of the contextual security architecture that we’re going to use. The architect’s view would be the conceptual security architecture. Now, all right, so we so far, we’re kind of getting that right. The business view, we know in context what we needed to do.

The architect says, okay, I can see that vision. And then the designer says, okay, I will do the logical security part of it that meets that conception that you have the conceptual view to meet the business’s contextual view. Now, from there, the designer is working on those logical security architectures, but the builder will also be looking at it from the physical security architecture. The tradesman’s view is that they’re going to deal with the component security architecture, whatever that component might be. It could be PC peripherals, it could be parts of the infrastructure. And of course, the facilities manager’s view is to look at the overall operational architecture.

85. Physical and Environmental Controls

As we look a little more precisely to things like your physical and environmental controls, we need to remember that no matter how good your technical security is, it can be easily thwarted by having a lack of good physical security. In fact, that’s been the subject of many good movies where this mainframe of data we want is not connected to the world. And what it was we had to send somebody through through a little hole in the roof on a rope, and they couldn’t drop any sweat. All these little cool things. It was like well, I really like that idea of showing you that as much of that security as they have, that it was still lacking in physical security. All right, well, it didn’t appear to me that it was lacking in that movie. But they found the vulnerabilities. At least we could say, well, I look at the philosophy of if I can touch it, I own it. And that’s true for any physical mechanism. I can look up how to override the logical controls.

And that’s, like I said, every vendor I’ve seen has on its website how to do a password recovery. And if I can do a password recovery, most often the existing configurations are not erased. I know they were on a couple of Firewall products that I worked with, which I thought was kind of cool. But even then, erased is not zeroing it out. We talked about that, about data disposal or destruction, which means I could have still forensically recovered it off of their solid state drives. Anyway, again, I’m starting to ramble a little bit there, but I’m trying to say physical mechanisms are easy enough for me to break in and own that technology. So that means we have to use physical controls to help mitigate the damage, especially looking at the physical controls for the facilities and using other resources that might maybe be of a natural or technological event.

And again, right, physical controls can help us for some things. The design of the buildings, of course, for a natural event might be designed to help protect against hurricanes or tornadoes. It’s just a matter of how you set it up. As a quick example of a physical control, the actual design of a building that I was in, working for a company in Florida, it was a beautiful view, and I was about 30 floors up, a beautiful view of the ocean. And I asked him, I said, Tell me about this building, if there’s a hurricane. And I only asked because there was one coming. It missed us. But anyway, they said, well, you’re probably safer in this facility. They told me how the glass had been designed for winds up to 175 miles an hour and designed for shatter capability in case the wind was throwing objects at the building.

And that how the power grid was backed up by a generator that they had deep under the ground with I don’t remember how many tens of thousands of gallons of propane to keep that thing running. And they had a full kitchen, and, I mean, it was like a little fortress, but it was a beautiful building. And I thought, well, that’s pretty cool. As a physical control, trying to protect the information. The kind of things that they were needing to keep safe were pretty intense, but it was a great facility. And I thought, all right, there are some examples, again, of types of physical and environmental controls. Of course, I like giving extreme sides. Not every one of us can have that kind of a building, but that is the goal. Now, from there, I can tell you the physical security was also quite good as far as what it took for me to get in there and the fact that I had to be escorted in most places.

86. Lesson 10: Information Security Program

Now when we talk about the information security program, it’s important to remember that as the information security manager, there’s really not an expectation that you are directly configuring the processes that are involving security. Instead, really those are functions that are assigned to other people within the organization. In fact, as we’ve made mentioned many times that often you as a security manager may not have the precise knowledge of exactly how to configure a router, a firewall, the security on a server. It depends on what your skill sets when you came in were. But we all have our own focus. But what is important is that you understand what those products do, what the controls are capable of and what your expectations can be.

So as a manager you can be able to measure it, see that you’re in compliance and be able to help make sure that the people who are your resources can get you to that end game right at the end of that roadmap. Now, we also have to remember that as we’re looking at the Enterprise in a whole, that there may be security controls that are related to different business units. These business units, because we now are looking at a security program that is Enterprise wide. We’re looking at the entire architecture that those controls will be under the guidance of the security manager or under that management aspect. So that means that there are security controls that are not in the information technology sector of that business, they’re not in that business unit, but they do exist.

And so that means the security manager is going to be responsible for assigning the roles and responsibilities to those controls to the people that are within those business units. But they must manage all of them. Which means that they are there to help close the gaps between those business units within the organization that may have their own responsibility, as I said, for different security controls. With that kind of management in place, we’re hoping that we don’t see overlapping responsibilities or overlapping work and that we are trying to manage really a method in which all of the security controls are integrated together. Now again, some things that we might deal with when we talk about this separation, of course, are examples of maybe if I need to purchase a technology that I as a business unit can’t do it by myself.

I have to go through procurement to get there. And procurement may have their own set of methods or things they have to look at to make the reviews, to make the authorizations. So they have their own little units that they work in and they have their own controls. But again, as a security program we’re going to have hopefully the management look over the entire thing. That’s also true if there’s a new It project bringing a new It project supported by the business that can also follow some type of system development lifecycle and then those also have to be integrated into the information security managers overall security program.

87. Information Security Program Deployment Metrics

Now, in the development of your information security program, there are several metrics that you must consider, things that are metrics that are necessary to track and guide the program development. That’s an important part of It. We also should be looking at It during the implementation of that program and of course, looking at those metrics during the lifetime of It being active, during the monitoring and managing and maintaining of It. Now, that just means you ask the question, are metrics going to be needed for ongoing management results? And the answer is, certainly it must be, because we always have to test to make sure that we are in compliance. We may make changes to systems that introduce potentially new risks, but if we don’t have new risk assessments, we won’t know if that’s the case.

If we have changes to a configuration and we have no way of looking at metrics to see if we’re still in compliance, then we don’t really have a very useful program. Now, it may be useful to clarify the distinction between managing your technical It security systems at the operational level and the overall management of information security programs, because there is that distinction here. A lot of the examples I’ve given you are managing them at the operational level for It, where we worry about how the firewalls are configured, how the server has been patched in its management. But remember, in the security management field, I’m looking at the overall manage of information security as the entire enterprise.

Now, also remember that the Security governance should have a set of goals for the information security program, and those are goals that are designed for the organization. Now, when we think of it that way, your metrics really just have one purpose, which is to help me in decision support, especially in deciding things like am I making that compliance? Am I hitting those targets or not? Now, we do look at metrics in a couple of categories. We might look at them at the strategic metrics. That’s where it’s kind of a combination of your management metrics to validate if the program is on track or if it’s at budget. We also have our management metrics where we’re managing the security program to see that it’s at levels of compliance. The operational metrics often are a technical set of metrics that might be the use of a vulnerability scan or patch management information.

• Category: Uncategorized