Due Diligence

I have been with IT managers sometimes who don't want to know anything about security because this is a field with a lot of obstacles to make an effective InfoSec Program Management like poor support from management, insufficient money and inadequate human resources and after all, it's useful for them because when they have any incident they can blame to the security field. Therefore, they don't “waste” time and money to build an InfoSec Program Management because this mean that they'll have to write policies, procedures and standards to try to manage efficiently the Information Security.

IT managers who don't care about security have a lack of due diligence because they don't involve resources in investigating their business, systems or individuals while these investigations should be done by managers before any decisions are made. As a result, they make decisions without data and statistics, and if something goes wrong they blame to the budget saying that they need more money to buy more technology what it's wrong many times because what they need is to use efficiently their resources and buy cost-benefit technologies.

This is also related to a concept called “standard of due care” which is basically the idea what there are steps and processes that we must take, and reasonable people take, in similar circumstances to make sure that everything is on the up and up. As Information Security Managers this means the basic components of our security program are in place. We should make due diligence and not sweeping things under the rock, we shouldn't hide security holes and vulnerabilities from management because for example this doesn't fit in the budget or because we want to save our job.

Due diligence can be done on a voluntary basis, which is the best case scenario, but it also may be a result of legal obligation.

Information Security Due Diligence is typically going to occur during procurement process. In other words, it's going to take place when we are actually acquiring and procuring hardware, software, operating systems, applications, personnel, etc I mean … when we are acquiring the funds to get our programs and projects rolling.

With regard to risk, why should we do due diligence? Because risk must be known and managed to fill those holes and mitigate the vulnerabilities.

Due diligence also occurs during a merger or an acquisition of companies. In this scenario we are going to do due diligence to make sure we have identified and we are assessing security risk to our business and reporting that risk and making that knowledge to potential buyers. We can also belong to a risk, consultants or audit team to assess a potential company before the purchase is made. This is typically a process that's gone through for an entire macro-business standpoint.

Best regards my friend and remember, if you want to sleep without nightmares you should do due diligence.

Obstacles to effective InfoSec Program Management

CISOs want to protect the assets of the organization writing policies and procedures, evaluating risks, deploying controls and creating business cases but most of them realise that they have a lot of obstacles to manage effectively the information security like poor support from the board of directors, insufficient funding or inadequate human resources and they end up exhausted and terrified because they know that they will receive some attack in any moment that it will affect the business and their jobs.

When we are running an initiative to implement an effective InfoSec Program Management there are always some obstacles and challenges that we have to face it. We are going to discuss three main challenges.

The first one is basically poor support from management. This can be vertically from upper-management or executive management or it can also be horizontally from other manager that they are in the same level vertically and they are managing other units or departments but we need synergies and cooperation with them. Therefore this is the overall lack of support and it can be due to misunderstanding, it can be due to politics, it can be due to a lack of interest in security initiatives. Sometimes we have to utilize resources from other departments like data of other departments, individuals from other departments and of course this probably is going to cut into programs and projects that other managers are putting in place. As a results there is a constant battle for resources in the organization.

Secondly, an inadequate funding and insufficient money available to get our security projects implemented. This is one of the most frustrating issue that comes up. Thus, this is a new discipline that security managers have to learn to know how to get money to purchase a new cluster of firewalls, to put in place a new Intrusion Detection System (IDS) software solution or for other types management tools, or also just for putting together a team of people. Accordingly, getting funding can be a tough thing.

Security management is a new discipline and the board of directors may not recognize the value of security investment in hardware, software, personnel, time, training or awareness and may be they see it as a low value to the company. It also tough for the board of directors to conceptually see where money is going on security projects and security programs. We know that mitigating against risks and threats that they haven't occurred yet is tough for the board of directors and sometimes they want to wait for the problem to occur before allocating money to it.

Finally, inadequate human resources. This is not just no having the people, it is also have to be with the poor understanding of the type of activities that people have to engage. Besides, the lack of awareness, underutilization and the fact that many business units aren't willing to give up human resources to help us with our programs and projects.

Best regards my friend and remember, all managers have obstacles and we should help each other to run the business effectively.

Overview of InfoSec Program Management

Previously, I have written about Information Security Program Development and the Security Program Scope, while this time we are going to see the concepts in simple terms of Information Security Program Management. This is the process of oversight, monitoring and controlling all of the information security activities, and always in support of the objectives of our business or organization. Of course we have to combine this with management to know which resources are available to meet our goals in an optimum fashion.

Information Security Program Management is like managing other organizational units or aspects of our business. The problem we are running into here is the challenge that the security management and the program management aren't usually well defined. This is a new discipline that it is misunderstood and there is one area that it isn't fill very well from security managers because most people who are working in a security role are technicians, they are engineers with technical backgrounds who understand security standards, security mechanisms, mitigations, vulnerabilities, hacking tools, threats, etc and they find themselves in a new paradigm with these management responsibilities and they don't have well-defined standards based on years of experience.

The security manager should focus on administrative duties of overseeing daily security operations. Although the manager should also be included in the incident management responding to incidents, also in the disaster recovery, but not into putting in the place systems but actually responding to disasters, and in any investigations working with locals and federal state authorities to help to investigate security breaches on behalf of our organization and other land force entities.

Typically the information security program manager will be one person, may be two people, in small and medium size business advising and answering to CIO, who is more strictly concerned with hardware and software solutions. However, in large organizations we can find infosec managers at corporate executive level advising and answering directly to CEOs, who report to the board of directors.

The InfoSec Manager can have duties like physical security, data security and compliance. Some of this duties may include physical security at the perimeter and at the facilities protecting servers, networking devices, end-users workstations and the actual data security itself, which can be data stored, in transit, over the wire or wireless data. The InfoSec Manager should also treat privacy issues and compliance like LOPD, LSSI, PCI-DSS, etc. In addition, the InfoSec Manager may be part of the process of Business Continuity Plan and Disaster Recovery, which go hand and hand, and also the manager can take part of the overall planning and implementation of the security architecture. This mean that the manager is involved in reporting to executives with steering committees, who are responsible for putting together our programs, our policies and our initiatives of our ongoing security projects.

Best regards my friend and remember, if you have any question, go ahead!!

Government and Management aren't the same

This week I have begun a new course about CISM which is done by ISACA, and although I have written several times about Security Governance, I am receiving new concepts and standpoints in this course that I didn't have and I would like to write down here to try to consolidate my knowledge.

First of all, government isn't the same than management. Governance is an abstract noun that most of the IT engineers don't have in their head because nobody has told them that they have to learn business language to understand the requirements of the business. I mean that most technicians don't understand why the company invest more money or more resources in “things” or projects and that in the first time it could seem an error. However, this is the beginning of a strategic and risk analysis.

From the point of view of governance we have to speak with the board of directors, shareholders and stakeholders in business terms to understand the business needs to make a security strategic to improve the business. This is the main reason we have to learn the business language because, once the strategic and the vision of the business are written, we have to write the policies and standards which should be approved by the board of directors.

If we want to learn more about governance we can use the framework COBIT which is a guide of best practices to align the Information Technologies with the Business.

On the other hand, management is a field where we make the security program which should use the Deming Cycle PDCA (Plan-Do-Check-Act). Although the Plan phase should be in the governance, the rest of the phases have to be done inside the security program. In the management field we speak in technical language with technicians and security administrators and we will also write the procedures that it will be steps by steps to know how to do tasks like anti-virus installation, hardening services, etc.

Most companies worried about security have implemented security standards like ISO 27001 which is a certification with 114 controls in 14 groups. However, this standard belongs to the management field and not to the government field and therefore we can find companies with this security standard that it is not align with the business needs or even we can find companies without a strategy.

Therefore, as CISO we should understand the differences between government and management because we have to translate the business language into the technical language and back and forth. I mean, we are in the middle of both worlds and as much knowledge about technologies we have, better controls we define, and as much knowledge about business we have, better alignment we will get.

Best regards my friend and remember, governance and management aren't the same.

Security Program Scope

In the last post I wrote about the importance of the Security Program Development and the easy way to do it if we use a standardized methodology like CMMI or ISO 27001, although each company is unique and they have to adapt the policies and procedures to their business. In addition, we shouldn't forget that the board of directors must take part in the development of the Security Program to meet their business needs and requirements. While in this new post I want to speak about the Security Program Scope that it is the first step we have to take to limit the extent of the Security Program due to the fact that sometimes is too ambitious and therefore unmanageable.

The scope of our security program could involve several factors:

1. The scope could involve people whose activities and actions actually have a direct or indirect impact on the objectives. For example, these could be the business relationships between different managers or it could be actions of remote users.
2. The scope could involve the development process itself. Things to add a success of development process is make sure we have all our customers and employees on board, we have buy-in operation management or we have ways to communicate during time of crisis.
3. The scope could involve the information security policy. Within the scope the policy must meet regulatory and balancing requirements, in other words, integrations in balance between business needs and information security needs.
4. The scope could involve the available technologies and systems that the company has.

To formulate an standpoint, as far as the security program goes,

the scope = people + process + infosec policy + available technologies and systems

wherever we have in place at any given moment in time this should be the scope of our program.

Therefore, if we take this scope, we can add to it the overall management or executives objectives or management strategic, to deliver our information security charter. The charter should be understood between management and all the individuals who are part of the security program scope:

Scope + Management Objectives = InfoSec Charter

The ISACA actually describes with good detail what they consider a mature information security program:

“IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimised and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalised incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analysed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organisation-wide.”

Best regards my friend and remember, definition of the scope is the fist step we have to take if we want a successful security program.