What do you think? Is this another useless assessment methodology, great idea, or a platform for vendors to sell products?

I recently went to the 2nd Annual BITs Shared Assessments in Chicago. http://www.sharedassessments.org/

I found the event driven mostly by product vendors, a few assessment firms, and some footprint from the banking industry. During the time of the event and now I was able to deliver an engagement and as a result of the conference and this delivery I have the following comments.

1. Many assessors are using older versions of the SIG and still have not adopted 4.2.
2. Product vendors have incorporated many of the features and appear to be pushing the solution the most.
3. The current AUP and SIG are fairly decent, but the overall solution still needs to mature greatly. I found that several of the AUPs were incorrect or missing. I have yet to consolidate all my comments; however I emailed the main contact number on the site. Currently comments are submitted one by one. I don’t want to enter them one by one, thus, I haven’t submitted as I’m still waiting for a response after several weeks.
4. The current scoping and process for delivery is underestimated. My experience shows that you will have to set strict guidelines with the number of follow up conversations and have a cut off for evidence. Otherwise the entity that is assessed will continue to try and justify they have the appropriate controls in place.
5. There are plans for mapping to other compliance regulations. There are many more comments I have about this solution, but mostly I’m seeing customers use only the SIG Light or SIG level 2.

I see this as holding a place in the 3rd party assessment realm for an organization. I’m wondering! Is anyone else using the Shared Assessments? What are your thoughts? Will this solution grow and be used like PCI even though it doesn’t have the formal backing like PCI?

I been tracking via this blog a good amount of search hits looking for security staffing and governance.  Unfortunately when you search there is not much out on the Internet.  If anyone is interested let me know and I will start an open source project off this blog to create a governance and staffing solution/program.

For those that have little or no knowledge in this area I suggest you review the Security Task Force documentation and the Educause updates located here:

Educause Information Security Governance Assessment Tool

For an open source program I would like to build of the current work, but also provide a lot more emphasis on the organizational charts and the roles and responsibilities.  If your interested please let me know and we can get everyone together and create an updated model for multiple industries.

The polls are open!

While visiting this site please check out the new IS Management page and contribute to the voting polls.

• http://infosecalways.com/is-management-polls/

If you would like to see new or different polls added let me know.

For anyone looking to find or understand the main key compliance documents across the following industries, regulations, regions of the world the link below has a good list.

http://www.unifiedcompliance.com/forms/tracked_documents.php

Industries, Regulations, Regions:

• Sarbanes Oxley Guidance
• Banking and Finance Guidance
• NASD NYSE Guidance
• Healthcare and Life Science Guidance
• Energy Guidance
• US Federal Security Guidance
• US Internal Revenue Guidance
• Records Management Guidance
• NIST Guidance
• ISO Guidance
• ITIL Guidance
• US Federal Privacy Guidance
• US State Laws Guidance
• EU Guidance
• UK and Canadian Guidance
• Other European and African Guidance
• Asia and Pacific Rim Guidance
• System Configuration Guidance

Also, some of these are already linked off this site.  If anyone is feeling like they have some free time feel free to send me links to the listed documents and I will add them to the Links page.

This document is written with the assumption that the organization follows ISO and has implemented many of the controls (including Disaster Recovery), but may be lacking in the area of business continuity management. This document aims to consolidate and leverage the work already done for other ISO controls to jumpstart the BCP compliance efforts.

The first step in compliance is to develop and implement a BCP management process.  The process needs to identify the critical business processes within the organization and incorporate management requirements.

Process:

1. Identify critical business processes and associated assets.  Create a template or leverage the disaster recovery (DR) documentation (Note:  The DR information may not be complete enough as it usually only includes recovery of technology functions and may exclude important business functions or process that do not rely on technology.) and send to managers requiring them to document their critical business processes by location.
2. Identify the consequences in the event of a disaster.  Again most of this should be in a DR plan.
3. Identify controls to reduce risk.
4. Ensure information for business operations is available.
5. Ensure BCP is integrated within business processes and includes security.
6. Ensure that plans are updated and tested on a regular basis.

Below is a sample that can be used and quickly put together to help meet some of this compliance.  Use Excel and list the critical business processes in a matrix associated with each geographic location as shown below.

The next step is to identity the results of different events by doing a business impact analysis.  Continuity plans have to be developed to for quick restoration of operations and should be integrated with information security and other key management processes.  Controls that can be put in place to reduce risk should be identified.

The Threat should define “Who”

The Event should define “What, Where, and When”

The table below is an expansion of the above.  (Threats are repeated for consistency)

After the assessment the following must be done:

• Continuity plan(s) must be created.
• Roles and responsibilities must be documented.  Most should have already been done for other ISO controls, but there may need to be a few short statements added to reflect business continuity compliance.
• Procedures and processes must be documented.  Many of these should have already been documented as a part of incident response, disaster recovery, change control, and other standard operations.  A few additional procedures may need to be created like the process of documenting and updating plans.

Plans must have the same framework.  This means all departmental plans must be a on a standard template.  A centralized escalation and evacuation plan should be developed.  Evacuation plans can simply state follow building evacuation procedures.  Escalation plans in most cases can follow standard disaster, emergency services, or incident response plans.

Plans need to address:

• Roles and responsibilities of key staff (i.e. BCP coordinator, executive management, and users)
• Summary pointing to the documents that have recovery procedures for operations.  In many cases these procedures are in the disaster recovery area or part of the standard operating function.
• Testing of plans.  This needs to track and schedule each element and when its tested. 
• Storage of plans at alternate locations
• Ownership of plans
• Fallback procedures
• Resumption procedures
• Awareness and Training
• Review of plan(s)

Putting everything important together is the key to the business continuity plan.  Many of the items above exist within many organizations but they have not been organized or consolidated in one area.  A document detailing each of these items and consolidating them all in one location is the key to passing the assessment.  If you are already working towards ISO compliance then Business Continuity Management is just one more minor component that can be accomplished quickly by consolidating a large amount of information in one place and creating a document (plan) that organizes and explains everything that needs to be done with these documents if there disruption to business operations.  In some cases there may need to be department level plans that are a close mirror to the main plan but focus more on departmental operations.  Some assessments will look for both centralized and departmental plans.

For more information you can also review that actual ISO/IEC 17799/27001 documentation and the BS 25999-2 Specification.

10% of IT budget seems high.  It would be nice if someone provided an industry breakdown.  I can’t imagine that certain industries are even close to this number.  Resource links to the posting are below.

• http://disaster-resource.com/newsletter/subpages/v251/newsclip6.htm  
• http://www.networkworld.com/news/2008/090408-it-budget-data-security.html?hpg1=bn

The Ten Most Important Things That The CSO Of The Republican and Democratic Conventions Should Be Doing To Ensure The Security of The Event

Overview

In 2004 I had the unique responsibility of being CSO for the Republican convention in NYC.  My role was primarily to secure the campaign network and work with the host committee to ensure security of their network.  To help those currently in similar positions or involved with other short time events and conventions I complied the top 10 measures that helped keep our environment secure.  In no way is this list complete, but the most important items have been listed.  This list also does not address obtaining management support or developing security policy, which are two fundamental elements to implementing all of the measures described below.

The Top Ten

The Convention Security Top Ten Security Measures (in no particular order) are: 

1. Change Passwords Frequently
2. Implement External Network Filtering
3. Physically Separate Speech Network
4. Change Voice Mail Messages
5. Review User Accounts and Access Lists  
6. Create an Incident Response Plan
7. Enforce a no Wireless Policy
8. Implement Intrusion Prevention
9. Implement Disaster Recovery Plan
10. Continually Walk Around and Assess

What makes Convention Security so Different? 

• There is no permanent IT staff, organization, or existing IT documentation.
• Everything done for the convention is temporary; everything must be taken down and returned a few days after the convention.
• The project must be completed by the date of the convention. There is no room for failure.
• Many decisions are based upon political considerations, including the appointment of key IT personnel. 
• IT budget is usually “raised” specifically for this event.  In the case of the Democratic and Republican convention all funds are usually dual-approved between Host Committee and Campaign.
• Political conventions have a major emphasis on IT security: it’s a National Special Security Event (NSSE) (i.e. involves Homeland Security, US Secret Service, FBI, NYPD and CERT).
• Short timeframe in some cases only 30 to 60 days to install the IT infrastructure in convention sites.
• No IT Program Management or Project Management structure.

  

Top Ten Detailed Measures

On the following pages is a description of each security measure with actual real world examples used in the Republican National Convention of 2004.

  

1.  Change Passwords Frequently

Based on my experience passwords are the number one way an attacker will gain access to a computer system.  The attacker gets in because the password is either the default supplied by the vendor, blank, easily guessable, written down, or typed in a file on another system.  Therefore, change all passwords as often as possible including system accounts, users, mobile devices, firewalls, routers, etc.  Don’t wait until the last minute to find out your blackberry servers bsadmin service password is “blackberry”. 

Changing passwords at first will be painful for the users, but this is a must for event security due to turn over of employees, use of volunteers, and maintaining control of the systems under management of the security staff.  During the week of the convention IT should try not to change any passwords.  In fact ALL CHANGES should be frozen during the week of the convention unless there is some emergency.

 

2.  Implement External Network Filtering

Implement external firewall and router ACL filters that exclude every country outside of the US.  There are very good lists that can reduce your IPS hits from 100,000s a day to 100s a day.

 

See my IP black list posting

http://infosecalways.com/2007/11/08/ip-address-blacklist/

 

3: Physically Separate Speech Network

Usually in a convention there are a series of speeches given by well known individuals.  In the 2004 convention there were several important people speaking like Arnold Schwarzenegger, Dick Chaney, and the President George W. Bush.  The original network design was setup with the speech network connected to the Host Committee and Campaign network, which were connected to the internet.  The worst possible scenario would be hacking the speech system prior to the event or when the actual candidate was talking on live TV.  Thus, as a security professional it is important to separate the speech network and make sure there is no way any user on the internet has any chance to connect to these systems. 

 

In the 2004 convention, amazing as it was, the speech server was placed in an Xray room at Madison square garden.  With the level of paranoia the fuses were pulled on the Xray machine and a separate pad lock was purchased and put on the door.  We called this the red room because the outside had a red Danger sign on the door because of the Xray system and it was in the Red Zone.  The only system on that same network was a Cisco network IDS server and only three individuals had access to the room. 

 This room located was in the Red Zone; the secret service controlled area that restricted access to the under stage and candidate environment.  Only four IT staff members had access to this zone.  For the 2004 convention the staff that had access was the CIO, the CSO, the Cisco engineer that ran the network cables, and an intern with political connections who administrated the badge system along side the secret service.  

 

 

4: Change Voice Mail Messages

This has to be one of those hard lessons learned for some of the IT staff at the 2004 convention because several employees were harassed for weeks during the convention as a result of their voice mail messages.  Many of the IT staff didn’t use office phones because there were several other means of communication such as cell phones, NextTel click to talk phones, and Blackberry devices. 

 

Social engineering attacks are a very big threat for several months prior to the convention.  As CSO you will need to talk to the front desk staff and find out actually how many calls come in.  Many of them will come in from the other party (i.e. Democratic Party in this case).  The week of the convention the front desk staff was so used to these calls that the majority of them were just transferred to the main desk at the Democratic convention.

 

The main problem that affected the technology staff was not just the political activists, it was the individuals that listed to voice mail messages and was smart enough to identify the IT staff and then harass them later.  In one case we had one specific vendor, who will remain anonymous, that left their company name and cell phone number on the voice mail.  When the harassing attack occurred this person was receiving several calls a day on their personal cell phone and ended up contacting the local police who continued the investigation.  In the end basically you will have to change your cell phone, so it is important to change all of the technical staff voice messages to avoid social engineering and harassing attacks.  Remove names, titles, cell phone numbers, etc.  You don’t want your top IT staff getting spammed with calls that essentially DOS their cell phones because they left the number and their title on their office phone.

 

5: Review User Accounts and Access Lists

Continually review user accounts and access lists to systems, applications, network devices and datacenters frequently.  You might be amazed how many volunteers have access and other staff members that no longer work for the convention.  This is a must and should be done several times before the event.

 

6: Create an Incident Response Plan

Create a solid response plan and make sure that CERT (http://www.cert.org/) and the Secret Service are included.  Although spam may be your only incident it will be important to have worked out who to call first and who can investigate the incident.  During the 2004 convention we came across four items that could be classified as incidents.  These were social engineering, DOS attempts, data leakage, and spam.

 

Social engineering was discussed above in item 4: Change Voice Mail Messages, DOS attempts were targeted at the campaign web site which was externally hosted with an infrastructure capable of the traffic.  During setup we performed a site inspection of the third party and required additional technology implemented for preventative measures.  Data Leakage occurred and we were notified after it hit the media.  The problem turned out to be an internal volunteer that leaked an Excel file of Campaign names to the media.  This is always a difficult and costly problem to solve, but in this case the repercussions were small and had little affect other then media coverage.  Then our one major incident that we fully enacted the IR plan turned out to be confusion among a spam email that got through the filter and was titled something along the lines of “you’ve been hacked”.  It turns out it the message was a spam email for a video tape that some delegate received and thought his system was compromised.  Overall the process worked great based on after incident feedback.  The process for this is below.

 

Incident Response Process Flow Example:

 

Enforce the “need to know” policy.  Tell the details of an Incident to the minimum people necessary. 

 

1. Initiate the Investigation. 
2. Can you confirm this is an incident? If yes go to step 5. If no go to step 4.
3. Make note on Incident report form and explain that it was not an incident; Go to Step 15.
4. Notify the Secret Service. 
5. Activate the Incident Response Team.  Fill out the Incident Report Form (Appendix D).
6. Continue Investigation.
7. Were systems on the network affected? If yes go to step 9, If no go to step 10
8. Notify staff and administrators on affected system(s). If dispatched to a site remember to document location.  Go to step 10
9. Is there a possibility of criminal action? If yes go to step 11. If no go to step 12.
10. Notify the Secret Service and wait for instruction. Do only as they say.
11. Contain and/or isolate victim system(s).  If this is a virus or worm unplug the system from the network.  DO NOT power down the system because some viruses may delete information when the system is rebooted.  If it is NOT a virus or worm disconnect the network or do a hard shutdown of the system.  DO NOT do a graceful shutdown because valuable information may be lost.  Log all actions.
12. Notify the Secret Service.  Log all actions.
13. Return the system to normal operation.  Log all actions.
14. Incident over.  Fill out Incident Report Form (Appendix D).  List all actions.
15. Hold a short meeting with the Incident Response Team, CERT, and Secret Service to identify the Lessons Learned and adjust the program accordingly.  List all actions.

 

7. Enforce a no Wireless Policy

This is just a simple solution.  Wireless is not secure enough, hard to monitor, and should be turned off on every device connected to the network.  Make sure that all laptops have the wireless setting disabled too.  Only use blackberry and Nextel type devices.  You don’t want any one with a wireless card bridging in external networks or something worse. 

 

It’s a hard enough job to ensure that everything is shut down; let alone trying to monitor outsiders connecting to the network.  The Secret Service may also block wireless at different time (though they can neither confirm nor deny that!), which may cause disruptions of signals.

 

During the convention at night when the speeches were being conducted the main job of the CSO and the IT support staff was to simply monitor wireless systems and ensure that no device was connected to our network cables. 

 

8. Implement Intrusion Prevention

Install both network and host intrusion prevention.  There will be viruses so this combined with anti-virus will stop propagation.  Behavioral based solutions work very well and should be installed on every system.  Below is a diagram for the network with the placement of network IDS systems.

 



RNC Network

 

 

 

 

9. Implement Disaster Recovery Plan

Implement redundancy for all equipment and possible circumstances.  In most cases communication is the most important item so ensure email and other services are redundant and located offsite.

 

10. Continually Walk Around and Assess

Check cabling, wiring closets, and wireless access points (that shouldn’t be there) by walking around the facilities regularly and constantly scanning for wireless devices.  It’s amazing how many people have access to your wiring closets.  Its also amazing when you find water dripping on your cords, so check everything multiple times. 

 

 

 

 

 

 

This whitepaper has a good overview of key components of a risk based security plan, which have been put into practice on several occasions.  This provides good direction with a decent amount of detail. 

Site Requires Registration:

http://searchsecurity.bitpipe.com/detail/RES/1212429613_869.html 

The document is about 12 pages explaining the steps for performing a risk assessment to developing a security plan to determining security budget. 

One of the key problems a security manger must tackle is defining the budget for security training.  Many awareness program guides break it out into a method similar to the following:

1. Identify security roles and responsibilities
2. Conduct a needs assessment
3. Identify the gaps
4. Develop and implement the training plan

Skills Identification

The key step here is the identification of roles and responsibilities.  Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program.  Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table.  A skills identification table will work for most organizations because it provides a quick profile of each security professional.  To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.

List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training.  Columns should be added for all security certifications and training associated with employees.  This information will provide the security leader with the organizations current security capabilities.  It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications.  For career planning you could also expand this model to include a section for desired certifications, training, or expertise.

Applying to Budget 

Now that each employee has provided their information the identification table can be used to help with the annual training budget.  Ideally the security leader should set the annual training budget for at least one training session a year for each employee.  The security leader should also take one training a year, but if cost becomes an issue then offset the security leader training by attending conferences and conventions.  If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs.  Otherwise training should be defined with each employee based on their career goals and the goals of the organization.

Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations.  To define and annual budget take the number of staff and budget for the $5,000 per person annually.  For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training.  Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel.  If you are in a large organization, especially one that is decentralized the budget may increase significantly.  One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training.  In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes.  Keep in mind there may be an issue with taking a large amount of employees away from their regular work. 

Overall there are several advantages to this staffing an budgeting approach.  One immediate advantage of increasing the security training may be reduced consulting costs.  Another advantage will be increased employee moral, as well as improvement of overall security.

There is an article that came out earlier from DRJ (Thomas L. Weems) based on a study that provides guidelines on the required geographical distance for alternate site locations.  This is good news for those performing risk assessments where this is considered vulnerability, because as far as I know FEMA has provided no specific guidelines. 

http://www.drj.com/articles/spr03/1602-02.html (registration required to view)

Ideally 105 miles point to point is the key number for all the threats listed below.  For those who don’t have access to the article below is a breakdown of the recommended geographical distances based on the threat.

NOTE: The article provides a graph so the numbers below is based on my interpretation of the graph.

Alternate Site Distance Recommendations

Hurricane:  105
Volcano:   75
Snow/Sleet/Ice:  70
Earthquake:  60
Tsunami:  52
Flood:   48
Military Installation: 45
Forest Fire:  42
Power Grid:  36
Tornado:  35
Central Office:  29
Civilian Airport: 28
None of the Above: 21

Off Site Storage Facility Distance Recommendations

Hurricane:  85
Volcano:  64
Snow/Sleet/Ice:  56
Tsunami:  45
Earthquake:  43
Flood:   43
Military Installation: 41
Forest Fire:  38
Power Grid:  36
Central Office:  25
Tornado:  24
None of the Above: 24
Civilian Airport: 22

Also the key here is to remember that the off site storage facility should accessible from the alternate site facility, which is a mistake many organizations make.

Problems and Revisions

Based on some quick research there are a few problems with the current distances above.  For example, I took three common disasters and did a quick analysis and here are the results along with some suggested changes.

Hurricane – Katrina spanned a much larger distance then 105 files proving that this distance is not adequate in a very large hurricane storm.  The article below explains that Katrina expanded over 780 miles whereas the outer regions were probably only affected by rain.  However, from my research severe damage was over about a 200 mile radius.  Therefore, I would suggest doubling the current metric to 210 miles.

http://earthobservatory.nasa.gov/NaturalHazards/shownh.php3?img_id=13083

Volcanoes – Although the current figure will probably be fine in most cases there is information to support that volcanoes can spread ashes up to 100 miles as displayed in the below article.  Therefore, this number should be revised to 105 miles based on the type of volcano.

http://pubs.usgs.gov/gip/volc/types.html

Earthquake – Similar to the volcano this distance will probably be sufficient but why take the chance when there is evidence that a 7.8 earthquake ruptured 220 miles of a fault.  Therefore, this number and the definition should be clarified to be at least 60 miles from a major fault line.

http://www.earthquakecountry.info/roots/shaking.html

Its about time!  Foundstone Professional Services has been added to the Avert Labs research blog.  So now the makers of all the free hacking tools are accessible online.  Check it out there are already some great posts. 

 http://www.avertlabs.com/research/blog/index.php/category/foundstone/

I’ve also added it as a Blogroll.

There is an article on The Register web site claiming security spending has soared to 20% of the IT budget.  This is based on a poll of 1070 organizations.

http://www.theregister.co.uk/2007/10/11/comptia_security_survey/

It is a shame the article doesn’t provide more detail.  It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed.  Does this review include staffing, business continuity, disaster recovery, Application security, etc.?

My experience shows that most organizations can’t account for the actual security dollars spent.  When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others.  These numbers are also pretty much inline with the CSI/FBI annual surveys conducted.

• What is your experience? 
• Can you account for your total security budget? 
• What does that budget include?

Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less then 1000 respondents.  I would be happy to post some links on this site if anyone has some good free resources or whitepapers.

The PhishMe blog on building employee awareness to social engineering tactics was inspiring so I finally decided to put up a paper on this site regarding similar subject matter.

Extreme Social Engineering

Combating the Insider Security Threat – A Security Awareness Exercise

This paper has been developed to address the human factor of security and the apparent weaknesses within organizations due to employees’ lack of security awareness.  The purpose is to provide organizations a simple solution for increasing security awareness and combating other malicious insider security threats through a series of social engineering exercises. The document is available by clicking the name above or by accessing the “Papers” section of the site.  

PhishMe Blog Entry:

http://blog.phishme.com/2007/09/time-to-phish-your-customers/

The BS 31100 Code of practice for risk management is also out in draft form free to download and review.  This document has the same deadline as the BCM. 

http://www.bsi-global.com/en/Standards-and-Publications/Industry-Sectors/All-Standards/BS/BS-31100-Draft-for-Public-Comment-DPC-/

The BS 25999-2 Specification for business continuity management is out in draft form free to download and review.  My apologies for sitting on this so long and not getting it out earlier because the deadline is today for review.  Anyway it’s still good to download while you can. 

http://www.bsi-global.com/en/Standards-and-Publications/Industry-Sectors/All-Standards/BS/BS-25999-2-Draft-for-Public-Comment-DPC-/

It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct.  The link below has a summary of the disaster scenario

NYC Steam Blast Explosion  

Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city.  Usually the commuters take the Metro North trains.  Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.

Problem

More then 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action.  If you dialed the MTA-Info number listed on their web site you would be out of luck.  Response – All lines are busy.  The website did not have a service alert message for commuters.

http://www.mta.info/ 

Ok phones out of service expected, except that only MTA’s phones are the issue.  Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City.  311 staff didn’t know the status of the MTA trains.  311 staff also couldn’t contact MTA because phones were still out of service at MTA.  Out on the street it was worse.  The police were controlling the area, so they were the only government staff that a person could ask a question.  The answer the police responded with was “you have to wait around”. 

I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north.  Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.

Improvement

This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines.  MTA needs to update their current plan to include:

Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).

Faster update of the website for emergency situations.

Identify key contacts to improve downstream communications to the police on the street.

Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.

Good Practice

What did MTA do right?  They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.

More on Emergency Management and Business Continuity

FEMA has a great deal of information on Emergency Management

http://www.training.fema.gov/EMICourses/EMICourse.asp

DRJ has a good deal of information on business continuity and disaster recovery

http://www.drj.com/new2dr/model/bcmodel.htm

I came across a pretty good list of topics that Auditors ask for in a HIPAA audit.  This is usually the stuff looked at during a HIPAA risk assessment too.  If you haven’t incorporated all of these topics in your risk assessment then now is a good time to go through the list and update your tactics. 

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&pageNumber=1

Risk Assessments almost always produce one finding consistently.  The finding is lack of roles and responsibilities defined.  The ISO 17799/27001 documents provide some guidance, but in many cases organizations do not know how to define clear security roles and responsibilities.  Before writing this I went through about 20 different organization policy documents to see if any listed roles and responsibilities the same.  In most cases I noticed three solutions.

Solution 1:

This solution did not include clearly define roles and responsibilities.  These documents contained few responsibility statements that were scattered through all different areas of the main security policy or policies.

Solution 2:

Solution 2 was the most consistent across all documents reviewed.  This solution usually defined three specific roles and responsibilities.  These are information owner, information custodian, and information user.  Each of these three roles had several statements defining their responsibilities, while there were additional statements scattered through all different sections of the policy document.

Solution 3:

Solution 3 was more consistent on policy documents that are broken up into smaller documents or much shorter in overall length.  This solution usually had specific roles such as Firewall Administrator, CSO, System Administrators, Compliance Officer, Audit, etc.  In most cases each of these roles had several bulleted responsibilities listed.

What Works?

The best solution is the one that works within your organization and causes less confusion.  If risk assessments are performed regularly then make sure the roles and responsibilities are written address the risk assessment requirements.  Two methods usually work.    

The first is to combine solution 2 and 3 and write a separate roles and responsibilities document or section of the overall policy.  This way there are many roles and responsibilities defined, which are easy to find because they are listed all in one place.

The second is to use solution 2 near the beginning (or in a separate policy document) of the policy document then in each different section of the policy (or each smaller policy document) write a roles and responsibilities sub section with more detailed roles.

How do you write an effective policy that actually works?  A coworker and I recently published a whitepaper.  The goal of the paper was to explain how to write an effective policy by providing both good and bad examples.  Click on the link below to access the white paper. 

http://www.foundstone.com/us/resources/whitepapers/wp_effective_policies_partI.pdf

This is one in a series we are producing, so I will keep everyone posted on the next document.

For those who are interested I will be sitting on a panel in
Las Vegas on May 22nd.  The topic is “Privacy and Security” Are you Ready!.

This should be a good discussion!  The other panel members are from the FBI and a CPP (Certified Privacy Professional).  The audience is geared more toward auditors, but I will also be talking about how hackers access the data as well as how to secure your privacy data.  See the link below for the 29th annual Gaming Conference.  The time slot for the panel is 10:30 to 11:20am.

http://www.nevadacpa.org/associations/3187/files/gaming_brochure_2007.pdf

I will post another reminder the week before the conference.  If your going to be there and have any specific topics you want to discuss let me know and I will see if I can accommodate.

The NYC ISM-Community is proud to announce that we will be serving the tri-state area initially and not just NYC.  This chapter we will be open to scheduling meetings in New Jersey, NYC, and CT if the attendance validates the need.  In the opening stages of this chapter our first major task is to establish a chapter board with the overall responsibility of operating the chapter.  Therefore, as the chair of the NYC ISM-Community chapter I am proud to announce our newest addition as a board member Rohyt Belani.  Rohyt is a well know security professional in the tri-state area and brings a great deal of experience to the leadership of this chapter. 

Welcome aboard Rohyt!

In the next few weeks we should be announcing additional board members and provide the schedule for the kick off meeting.

Looking to obtain management support!  It’s not always easy.  Many organizations security officers are always looking to obtain more management support and funding for their programs.  This can be a difficult task, so what I have done below is list a few perspectives that work within different organizations.  

Compliance – The number one way to get management support is from compliance regulations such as GLBA, HIPAA, SOX, and PCI.  If management doesn’t already know what they need to do then educate them and you will get support and funding to implement parts of the program.

Third Party Review – This can be as simple as doing a risk assessment or by hiring skilled ethical hackers to show weakness in the organizations information systems.  The main point is that management tends to listen more to third parties then internal security staff.  Some times there is nothing new that comes out of these assessments that the CISO/CSO doesn’t already know.  However, third parties have a different presentation and reputation that give them credibility.

Return on Security Investment – For more mature programs, whereas security devices and security testing are integrated into the daily process, return on security investment is the best motivator for management to provide additional support to the program.  Metrics must be measured in these organizations and statistics must be gathered constantly.  Metrics should be measured to show that particular practices such as doing a code review will actually save the company money vs. the current application testing process used within the organization.  Statistics from industry studies must be presented to management providing solid proof that particular security practices will actually save more money over time.

The Proposed Program – For newer security programs, whereas a CISO/CSO has recently been assigned (yes these organizations still do exist) and the security team is very small, a formal proposal and plan must be presented to management.  In this situation, the newly appointed CISO has a difficult job especially if the individual does not have an information security background.  A detailed plan must be developed and this plan must include education for management about the need for security.  The plan needs to explain in detail both short and long term plans for implementing different security controls based on risk assessment.  The key to implementing the plan is to bundle security with other ongoing and new projects.  It is much easier to take a little money here and there vs. asking for the entire budget.  Also, adding to each project will be beneficial later because you have already started integrating security with the different practices already in place.

As many of you know this is one of the main projects in the ISM community and there are some different perspectives of the best method to perform and Risk Assessment.  I am really hoping to get some good feedback across industries on this question.

Where does the Risk Assessment methodology come from?

I know many asset risk assessments are based on the NIST and OCTAVE methods, which is usually the work I perform.  Many of the process based risk assessments I have seen are done by auditors (the Big 5 type companies).  When reviewing many of these I notice they all seem different, thus I’m not sure the method’s they follow (some use COBIT).  Most organizations I have consulted to use the Audit department to perform the process risk assessment while the asset risk assessment is usually done in a separate group or by information security. 

Asset Risk Assessment: Brief overview

The asset based risk assessment that I perform usually focuses on asset risk in terms of the people, processes, and technology.  With that said I do not map every process, like a process risk assessment.  The end result of the assessment is a list of asset groups (prioritized by severity), threats (assigned a value based on likelihood) mapped to each asset group, and vulnerabilities (ranked by impact and how easy it is to compromise) associated with each asset group.  All of these (assets, threats, vulnerabilities) have scores associated with them that when added up produce a risk score.  Then risk prioritized recommendations are created to remediate the vulnerabilities.

We need both!

Is the asset assessment better then a process assessment?  I don’t think so, but most organizations that I have consulted (on risk assessment) have problems with a process based risk assessment when it is done alone.  However, when combined together both methods usually cover most areas of risk.  Again, I don’t think either one is better than the other.  I believe we need a mechanism in place to assess both the asset and its associated processes.  

What is your view?

I wanted to kick off this blog with a little more serious discussion involving security program development. Therefore, I am putting out there my thoughts on information security staffing.

The Question

“How do you determine the appropriate level of security staff I need?”

It’s amazing how many times individuals at organizations want the bullet answer to this question. They ask, “Is there a dollar per staff ratio (1million:1staff) that can be used to see if my organization has the appropriate number of staff? Is there an employee to security staff ratio (1000:1) that I should be following?”

I find this topic important because there are some fundamental items that must be assessed before determining staff for any function within the organization.  For example, Let us talk about software development staff for a minute.  How do you determine how much development staff you need?  Can that question be answered with a ratio to IT staff?  Not really, not without a good deal of additional information. 

What do we need?

I’ve seen a few articles that try to calculate and answer this question.  One particularly I remember was an article using the approach identifying a primary and backup individual for each device platform.  In my experience, this is not practical or cost effective nor does this method use a risk based approach to security.  I think methods like these are missing the key fundamentals for determining staff.  What is that we need to determine the appropriate number in our organization?

Fundamentals of Staffing 

In my experience, I am in the unique situation of evaluating many organizations security staffing levels.  What I have determined is that organizations have more staff dedicated to information security then they really know.  The problem is that the staff is not functioning together as one entity.  A few fundamental items can be used to help management determine the appropriate staff levels.  These fundamentals can also be used to help security function as a single entity with a common goal.  The fundamentals are:

1.  Scope: Scope of information security within the organization.

2.  Requirements: The legal, compliance, and business requirements.

3.  Budget: Total organization budget, IT budget, and security budget.

4.  Roles and Responsibilities: The current and required roles and responsibilities (including the information security governance structure)

5. Time and Assessment: Current security posture, future security posture, and time to be compliant or obtain the future security posture. 

6. Management Support: Executive sponsor ship and commitment.

Putting it Together

Although these are not all encompassing and nor are they a silver bullet solution.  Obtaining this fundamental information in accordance with a risk assessment will help you identify the gaps in your requirements for reaching a particular security posture at a given point in time.  That information prioritized by the risk can be used to staff up accordingly and reach a common goal.

Remember all processes require updating constantly.  So does security staffing, whether it be with contractors or internal employees.  Don’t look at the problem trying to find the correct ratio for the appropriate number of security staff.  This number should be constantly changing based on the fundamentals provided above.  Information security like any other ongoing process must be dynamic and constantly changing to meet the organizations needs at a given point and time.

Recently a couple of new sites were added to the Links page.  These are references for risk assessment documentation and methodologies.