The GCN article suggests that the audit guide used by the payment card industry (PCI) offers the measures of information security that NIST guidance, and the FISMA law itself, lacks. PCI audit guidelines have fairly specific success criteria, including:
- Maintain a firewall configuration to protect data;
- Don’t use vendor-supplied defaults for system passwords and other security parameters;
- Protect stored data;
- Encrypt transmission of sensitive information across public networks;
- Use and regularly update antivirus software;
- Restrict physical and logical access to cardholder data;
- Assign a unique identifier to each person with computer access;
- Track and monitor all access to network resources and cardholder data;
- Regularly test security systems and processes.
Both points of view are credible. IT management does need to measure security processes (Kash). Information security is not just operational; it’s the whole package—a strategic, tactical and operational concern. (Lazo)
Control Objectives for Information and Related Technology (COBIT) meets both goals. COBIT provides a strategic IT governance framework that defines management objectives for IT processes, and it defines performance measures informing management whether those objectives are being met. In COBIT, security objectives and measures are pervasive throughout every IT management activity: planning and organizing, acquisition, implementation, delivery and support, monitoring, and evaluating performance.
Let’s take an example. COBIT specifies that risk management is a significant component of planning and organizing the IT activity. Risk management requires processes that:
- Establish an IT risk management framework that is aligned to the enterprise’s risk management framework;
- Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes;
- Identify events (important and realistic threats that exploit a significant vulnerability) with a potential negative impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects;
- Determine the nature of risk event impacts, and record and maintain relevant risks in a risk registry;
- Assess the likelihood and impact of all identified risks on a recurrent basis, using qualitative and quantitative methods;
- Determine the likelihood and impact associated with inherent and residual risk individually, by category and on a portfolio basis;
- Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis; the risk response process should identify risk strategies, determine associated responsibilities, and consider risk tolerance levels;
- Prioritize and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution;
- Ensure that committed actions are owned by the affected process owner(s);
- Monitor execution of the plans, and report on any deviations to senior management.
The measures of success toward meeting the goals of the above processes include:
- Percent of critical IT objectives covered by risk assessment;
- Percent of IT risk assessments integrated in the IT risk assessment approach;
- Percent of identified critical IT events that have been assessed;
- Number of newly identified IT risks (compared to previous exercise);
- Number of significant incidents caused by risks that were not identified by the risk assessment process;
- Percent of identified critical IT risks with an action plan developed;
- Percent of IT budget spent on risk management (assessment and mitigation) activities;
- Frequency of review of the IT risk management process;
- Percent of approved risk assessments;
- Number of actioned risk monitoring reports within the agreed-upon frequency;
- Percent of identified IT events used in risk assessments;
- Percent of risk management action plans approved for implementation.
Mr. Kash accurately points to the need to measure how well you’re addressing security activities. But, as Mr. Lazo points out, addressing security from the bottom up won’t provide an adequate payoff. Yes, PCI provides a framework for good security practice; but it’s still just a checklist. Managers need to think strategically, not just operationally, about the real risks to IT assets. In short, management needs to apply governance. COBIT gives them the tools to do just that.
►
4 comments:
Yes, the government's metrics are broken right now. Some really smart people that I know are working on changing that, but it's slow because the culture of Government is to resist change.
I agree with you that PCI is the road to go down. In fact, I wrote a tongue-in-cheek rebuttal on my blog at FISMA: Better if PCI. WTF?
While COBIT makes some sense, the problem is that government is driven by a different set of laws and standards that the private sector. Looking through your description of COBIT, it's exactly what NIST has created in their Risk Management Framework.
The biggest problem that we have in the Government is one of scale:
1. We do not have information security models above the enterprise level.
2. We do not have enough skillfull/clueful people in the DC area to keep up with the demand.
No matter what the framework you use, you still will get the same results because it's not about the framework, it's about the people.
Have a look at the presentation I put together on security and the Government, I go through some of this.
Cavalcade of Risk #54 is up, and your post is in it:
http://www.bargaineering.com/articles/cavalcade-of-risk-54.html
rybolov,
Very humorous sarcasm! That was sarcasm, right? Seriously, I’m so excited about your ideas that I’m going to link back to you.
Yes, NIST Risk Management Framework closely resembles—and in some cases borrows from—COBIT. It’s less structured and much more comprehensive, given all the Special Publications that comprise it. COBIT attempts to specify what you should do to achieve high-performing IT-driven operations. As I view it, the NIST framework attempts to tell you both what you should do and, in verbose detail, how you should do it.
When your smart friends figure out how to dismantle the barriers to quality and performance management in government, please include me in the celebration. I’ve been working on that problem most of my adult life.
I work in a large State government, so I can empathize with your plight. Sounds like the Fed faces conditions very similar to ours. I’m not sure that I can agree, though, that there are not enough skillfull/clueful people to meet demand. I find that a great many skillful—and clueful—people are chewed up and spit out by institutions that were purposefully designed not to change, evolve, or die. The theory of evolution does not hold true for government. Of course, DC is a very different place from Sacramento. Heck, LA is a very different place from Sacramento. California’s difficulty, I think, is:
1. Our constitution gives broad powers to individual agencies to manage as they see fit.
2. Influencers at the Executive level have two levers to shape the will of agencies: policy, i.e. administrative regulations, and law.
But...
3. Administrative regulation is largely ignored, with no ramifications befalling those in positions to know better.
4. Politics makes law impossible to effect.
A few years ago, the Governor commissioned a task force to find ways to improve operations. The group identified over 200 vectors in the problem space. But in short order, cold hard reality befell the naïve Governor’s best laid plans. Between a Legislature and public employees’ union bent on stonewalling all attempts to mandate change, and the utter inability of the Administration to apply pressure on agencies that had been ordained as kingdoms in the State Constitution, the initiative quietly died with only a handful of its recommendations realized.
Incidentally, I’ve been told that the Canadian government has been successful—you define success—at implementing the COBIT framework. I would sure like to visit Ottawa to see what everyone’s talking about.
Hello all, I would also like to give my opinion on Risk and Compliance.
IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering: Greater business value from IT strategy, investment and alignment, Significantly reduced business and financial risk from the use of IT, and Conformance with policies of the organization and its external legal and regulatory compliance mandates. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk. Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization. IT governance, risk, compliance, IT GRC, White paper, compliance survey report, 2008 compliance report.
You can also get more information from http://www.compliancehome.com/symantec/
Post a Comment