ISACA CISM – Domain 03 – Information Security Program Development part 12

88. Metrics

So as we’re looking at the metrics, there are a number of considerations of things we should think about when we are creating metrics. In other words, there are some attributes we want to look at when we’re deciding what is going to be a metric, what is it we’re going to measure? So, of course, we have to ask questions like, are these metrics manageable? If they’re not manageable, meaning I can’t make alterations. As an example, when I’m logging the throughput of of information going through a server, like in Windows, we have a performance monitor, and I might want to see how that affects the processing capabilities, the network capabilities. Maybe I need to see how it’s affecting memory. But I can change those options around. They are manageable to me. And so we ask those same types of questions about these metrics, of course, at the same time, just because they’re manageable and I have some variety of what I can choose, I got to ask, is what you’ve chosen meaningful at all? If it’s not meaningful, then all it is is a waste of our time and gathering that information.

So that’s another aspect we have to look at the metrics. Now, we should also know what metrics are actionable. In other words, do they give me a sense of direction of where I should go, kind of like the way a compass helps navigate you in the direction you’re trying to get to? If I have metrics that tell me, hey, you need to take an action, then I can say, okay, I get that. I see from this report that I need to reboot a server perhaps, or I need to change a rule in a firewall, or I need to do something based on the information I’m getting. Now, we also have to ask questions like, are the metrics reliable? Is the output really good? Are they being sent to you in a timely manner? Are you getting them from yesterday’s metrics, or are you getting them at near real time? Also, are they predictive? That’s another thing that we have to think about as far as what’s useful for us in the metric realm.

89. Strategic Alignment

When we have the discussion of strategic alignment what we’re talking about is the alignment of your security activities with the organizational objectives because that’s essential and it’s essential in all phases of your security program. Sometimes the primary concern is if the program objectives have materially changed because if they have then we have to say okay if there’s that material change did that get us out out of alignment? And of course we can also ask the question what was it that changed? Did the business objectives change or was it the actual loss security program? Another concern is that any change or modification to the strategic objectives whether or not they’re going to be reflected in the security program objectives. So that means that we have again an ongoing process that we’ll go through in dealing with change and trying to make sure that we can work to keep both of those in alignment.

90. Risk Management

Risk management is a big part of this entire security program. It’s a big part of the lifecycle approach. As I’ve hopefully communicated, as we have talked about it, quite often the lifecycle approach to risk management should be used since your program development risks are going to be different than the strategic or ongoing management risks. And of course that should be true. In fact, we’ve even said that the implementation of the project introduces risk as well. Primarily risks are addressed to the program development and they’re often designed as a project risk. Now the design risk is that on the end result, what we’ve come up with maybe isn’t suitable for the intended purpose.

So again, we’re talking about looking at the overall management or the security project itself and the types of risks that we have to deal with. We should also consider the project risk as it relates to costs, timetables, resources and other critical path matters. So through this process we’re saying basically that we could have risks that are a part of the project. It could have been a poor design, could have been a poor roadmap. We may have based our information on bad metrics to make some of the decisions that we did. And of course, some of those bad decisions might have increased costs, extended the timetables, maybe have made it so we don’t have the sufficient resources. All of those things that we just mentioned are deals that we look at when taking the life cycle approach overall to risk management.

91. Value Delivery

When we discuss value delivering with the security program, that’s usually a series of planned projects that are designed to improve the quality of the overall program. Now here we hopefully have standard metrics that we can use to see if the program is meeting the objectives and delivering the expected value. There should also be an examination of the budgeted cost of the work scheduled or at least of the work schedule, I should say, with the actual cost of the work performed. Again, we’re doing comparisons to see if we are still on target because again, that’s part of the value that we’re trying to deliver.

92. Resource Management

Even with good processes for identifying and designating the technology and the roles and responsibilities for program development, you still have to make sure that the day to day operations are working properly. In other words, we cannot forget that we are still in operation and that we still need to be in some compliance or trying to keep our risks low day to day, even while we’re focusing on trying to go forward with, or perhaps this security project. So what do we need? We need metrics for resource utilizations. Those should be used to support the efforts as far as maximizing our program development. Those may be helpful for gathering historical data. Sometimes we call those baselines of performance metrics.

Especially to gathered on your resource dependencies because that might affect the security program. When you’re managing your resources, you should also make sure that the personnel who have a lead role have a backup to that role, who can perform at any of those given functions unassisted. In other words, we are talking about having what we might call your cross training. Now, remember that as we’re working with resources, people will become ill. People take sick time, they go on vacations. They may just decide they don’t want to be employed anymore with that corporation. And that could leave a gaping hole for you if you don’t have somebody who can fill in that spot right away.

93. Assurance Process Integration

The assurance process integration for a security program should consider how it’s going to interact with and integrate into the other assurance activities. Again, these might be in working and integrating with your physical security, your It security with legal human resources, your privacy issues. The development and implementation of the security program should provide opportunities to be able to hook into these departments.

94. Performance Measurement

Now, there also should be a means of gauging how effective the performance measures themselves are, reflecting the performance of various aspects of your security program. You might find that these performance measurements maybe aren’t adequate or accurate, reliable or timely. So that means we’re actually doing a measurement of our measurement, right? We need to make sure that we’re getting good information. Your performance measurements should demonstrate that if the security program is working and achieving its objectives. But it’s hard to do that if I don’t trust how adequate or have enough information, or whether or not I can rely on it, or if I’m getting them a month after the fact.

95. Security Baselines

And remember, some of the things that we look at is the performance of the creation of a security baseline. Remember that within this time that we’re going through with this security program that our security baseline will eventually change. But that a baseline, again, is that lowest boundary of standards that we have that define the minimum required security for an enterprise. A major part of your security program is made up of the designing and developing and implementing controls to conform to your standards and those should be what meet the baseline. Now, your baseline can also be used as a point of reference especially for your future changes.

96. Lesson 11: Security Program Services and Operational Activities

In this lesson, we’re going to cover a lot of information about the security program services and operational activities. So we’re going to talk about things like the information security liaison responsibilities, talk about cross organizational responsibilities, take a look at what we should see with security reviews and audits, talk about the management of security technology. Cover areas like due diligence with compliance, monitoring and enforcement enforcement. Talk about the assessment of risk and impact. And then of course, we’re going to also look at outsourcing for some of these services, either whether it’s for security or for It services, which will bring us into cloud computing. And then we’ll talk about some of the concerns with the integration of It processes. I shouldn’t say concerns, but more about how we should be concerned with that integration.

97. IS Liaison Responsibilities Part1

All right, so we’re first going to talk about the information security liaison and what the responsibilities should be. And so this is kind of going into, again, some of the discussion about roles and responsibilities and it’s really essential really for an effective information security manager to have an ongoing relationship with other groups and departments in the organization. And so that’s where, you know, that relationship becomes that liaison. And in fact, the more we can integrate and work together then we’re going to achieve really a better security profile or security program. So let’s take a look at some of those areas and especially when we start talking about some of the different liaisons such as physical or corporate security. So usually most or most companies are going to have some sort of department that is going to be charged with, in this case as we sit here, the physical.

And so remember, the physical security could be things like the guards, right, or somebody who’s maintaining logs of entries. It could be things like magnetic key cards that need to be tracked and all the rest of it. But somebody’s in charge with that and they should have hopefully some sort of relationship with the manager to be able to know how and who should be gaining access. Now, it could also be outside of the department, it could be individuals that are from the outside law enforcement world, especially if you’re having to do criminal investigations for those security breaches that could occur. So you can have also liaisons from not just internal but external. The next one is the It audit. And remember, in auditing it can be both internal and external and we’re going to kind of COVID that as we go through and take a look at some of those roles.

But still right in the aspect of the liaison, that’s somebody that we’re going to be working with who’s completing these audits and it’s kind of important. The It audit’s job is to provide assurance or to make sure you’re in compliance to identify risks. And one of the things that they can do, of course, is help you determine if you have proper policies or lack of policies or procedures or standards. And so their job is to do that assessment and to be able to make the reports back to the information security manager so that we can make sure that we are overall in compliance. There’s the It unit, the information Technology unit. And remember, they’re the kind of the hands on people, right? They’re the ones that are doing this work of managing the network, managing security, managing your different systems.

And they are, of course, a critical role because they’re the ones that have to basically enact whatever those policies or procedures are to make sure that they stay within compliance and that they are not following basically, if they aren’t following your policies or procedures, the fact of the matter is they could be introducing new risk into your network. But sometimes they may have a conflict. They may say a certain policy that you have about security is making it harder for us to be able to provide the services that our organization needs. Again, that’s another part of auditing as well, is to make sure that they are following those policies or that they have the ability with the liaison to introduce perhaps changes that need to be made. We can take a look at the business unit manager.

And again, when we’re working with the information security program and management, the different business unit managers should play a part in that overall developing of the program. And again, because each business unit manager, if you were to think of it even as something like the next bullet down, human resources, they’re going to have some issues as well. If we talk about human resources, they may say, hey, we’ve got some very private data information about employees salaries, personal files that need to be kept as secure as they can. And so they have a big responsibility to make sure that they are communicating with the information security manager about what their needs are, what their prioritizations are going to be. And again, they should be involved in this process.

The legal department, all right, so they often can get involved when it comes to the terms of compliance, especially maybe even enforcement. I mean, let’s take the negative approach here and talk about having to do some sort of action or actionable offense against an employee because they didn’t stay in compliance with security policies. We got all those other issues about whether or not somebody is either fined or let go by the department. And of course, they need to be, again, working with everybody in this program. The employees. Again, now employees, when we talk about employees and not being in the negative side of this, for me, they’re kind of like the first notifiers. They’re the ones that are your eyes and ears. And it’s not just people in the It.

Department. It can be employees from any of the departments that if you’ve given them the proper training to help them understand the awareness of security, that that can really be a big benefit to making sure that you can reduce the overall risk or the impact of a security event. One of the things that we tell employees is that we often don’t want to do what we call a piggyback. So this takes us kind of into the realm of physical security. So if you require that they have a magnetic key card, ID card to get into a building, they shouldn’t then hold the door open for somebody who doesn’t have a card that’s called piggybacking where somebody else doesn’t scan in. So again, just making them aware of little things like that procurement, right.

Most organizations might have a formal procurement process that can also have a consequence for information security in the type of devices or equipment that they purchase and bring in.Remember, when we bring in, let’s say, new equipment, we are potentially introducing new risk. And with that new risk, somebody should, before we deploy it, have gone through a process to make sure that it’s going to fit within the needs of the organization as well as the needs for information security. Usually we’re going to have a list of approved items that can be purchased. So if suddenly I’m in charge of, say, of a security team, and I decide I want a brand new firewall that just got advertised, and it looks really cool, if it’s not on the list of approved items, you don’t want them to go through procurement.

And to bring that in, procurement ought to say, well, look, that’s really cool, but you have to get this approved before we can purchase it for you. But if you want to go to this other firewall that we’ve already got on the approved list, then it’s a different story. All right. The other responsibilities, of course, all of this is in the compliance, and we have to at least I can say, and it’s, I think, relatively true that the legalities, the regulatory landscape has become increasingly complex. I remember when I first saw the I call it the manual for HIPAA, it was about the thickness of a single two inch notebook or three inch notebook. And now I think it’s up to like three or four notebooks as it continues to evolve. And again, it’s not a bad thing. We’re just trying to make sure we’re as following as the best practices we can.

Compliance is probably going to be working with legal as well to make sure that legal can kind of sort through the regulations, the laws that are in place to help make sure that you have the right types of policies in place, that you’re following the right legal requirements. And like I said, privacy is another part of this process, and privacy is a big deal. And as I said, it’s not just like worrying about customers information and their credit cards, right. But it goes back to HR as well, with employee records or corporate secrets, kind of the list goes on. And again, depending on the type of corporation you are and the jurisdiction in which your company operates, you may have different privacy laws. As an example, when I was recently over in europe, in brussels, and I was talking about some features of a firewall that could basically do a man in the middle, the idea was that the firewall would be in the network, and here it would be somebody’s bank, and here’s the user on the inside.

That this firewall. When the traffic would come in with encryption, SSL, basically as a man in the middle, it would decrypt the traffic and then re encrypt it to the bank so everything was safe. But the idea was that this device would scan and look to see that there’s no malware going through that encrypted session. Well, that’s something we can do, at least within the United States. But in Brussels, they said no. That kind of thing is considered an intrusion and a privacy, much like there’s many search engines out there where you can do what I’d call a people search that might be actually the name of a web, but there’s many of them out there. But what I’m saying is that we can try to look for online things, like online arrest records and that sort of stuff. Again, where I was at in Europe, they said, no, that stuff is not allowed. So there’s a lot of different privacy laws depending on where or what jurisdiction that you’re in.

• Category: Uncategorized