18/07/2009 Defining an enterprise-wide Secur…

Printer Friendly Version

W EB LINK - http://www.ne twork m a ga zineindia .com /200211/guest.shtm l

Guest Column: Security Framework

Defining an enterprise-wide Security Framework

With the emergenc e of new technology strategies such as Intranets and

Extranets, protection of informational assets has become paramount. The first
step is an enterprise-wide Information Systems Security Polic y. by Rahaju Pal /
Dhawal Thakker

Traditionally, organizations have relied on policies to communicate high-level

directives from the management. These documents, once issued, provide top
down influence for everyone in the company—from business units to
departments to individual employees. Furthermore, these polic ies typic ally were
developed at one time in the organization's evolution to c apture the c urrent
environment. One of the major challenges for an organization in this area is the
continued growth and adaptation of the policies to mirror the transformation
within the organization. The fastest area of growth and c hange within an
organization is Information Systems. With the rapid development and push
toward new technologies, organizations find themselves striving to maintain
current technical environments with outdated policies. Sec ondly, with the
emergence of new technology strategies such as Intranets and Extranets,
security and the protec tion of informational assets has become paramount.

The first step is an enterprise-wide Information Systems Security Policy that is

consistently enforced even as business needs c hange. Unfortunately, most
companies have only bits and piec es of security scattered throughout the
organization. These may make some departments or individuals feel safe, but
they do little to protect the enterprise as a whole.

To address these needs, Pric ewaterhouseCoopers has desig-ned a Sec urity

Knowledge Manage-ment system—the Enterprise Secu-rity Architec ture System
(ESAS). The idea is to assist an organization in providing a key security
infrastructure tool. Primarily ESAS is built on PPT methodology (People, Policy &
Technology). Over the period PwC also went ahead mapping ESAS with COBIT
methodology from ISACA and the guidelines given in ISO 17799.

What is PPT methodology?

PPT stands for People, Policy, & Technology. The
security process is a mixture of these three
elements. Each element depends in some manner
on the other elements. Also, issues receive
greater coverage when the elements are
combined. The c ontrols environment is greatly
enhanced when these three elements work in
concert. A simple drawing will suffice to illustrate
this (see Figure 1). This drawing shows the basic
elements and also the coverage areas.

As you move toward the union of these

expresscomputeronline.com/…/M… 1/5
18/07/2009 Defining an enterprise-wide Secur…
elements, the c ontrols environment increases—
there is greater c overage. Let's understand
these three elements individually.

People This core element is the most important. The people element c omprises
the people and various roles and responsibilities within the organization. These
are the people that are put in place to execute and support the proc ess. A few
key roles inc lude senior management, sec urity administrators, system and IT
administrators, end users, and auditors.

Policy This element comprises the sec urity vision statement, sec urity policy and
standards, and the c ontrol documentation. This is basic ally the written security
environment—the bible that the security proc ess will refer to for direction and
guidance.

Technology This element includes tools, methods, and mec hanisms in place to
support the process. These are core tec hnologies—the operating systems, the
databases, the applications, the sec urity tools—embrac ed by the organization.
The technology then is the enforcement, monitoring, and operational tool that
will facilitate the process.

The c onc ept is that each core element c ould be measured for effec tiveness
and coverage. Also, issues c an be measured against the model to determine
what controls c overage for that issue. The objec tive then is to move issues
into the intersec ting areas of the elements—with the final objective of moving
the issue into the middle area of greatest coverage. As risk issues are
identified, each step to manage the risk will fall into one of the core elements
of people, polic y, or technology. If the issue is resolved with one of the
elements, addressing one of the other elements can enhance this resolution. As
the core elements are added to the controls environment and utilized in
concert, the issue is then resolved on several fronts. The controls c overage is
greater.

The PPT Model

The PPT Model can be illustrated with a few simple examples. Figure 2 shows
the PPT Model with regards to Internet usage and misuse. Users are educated
on the proper usage of the Internet. The controls environment relies solely on
the user. An Internet usage polic y is written to document proper use of the
Internet and the consequences of misuse. The controls environment now is
supported by two of the three core elements.

Filtering software is
deployed on the firewall.
Now the c ontrols
environment is covered
by all three elements.
Figure 3 demonstrates
when an issue is c overed
only by two of the three
elements. It also shows
the consequence of a
limited controls
environment.

expresscomputeronline.com/…/M… 2/5
18/07/2009 Defining an enterprise-wide Secur…
The Internet connection
is protected by the
deployment of a firewall.
Core elements c overage = 1.

The firewall administrator rec eives specialized training and develops the skill set
nec essary to administer the firewall. Core elements c overage = 2.

The firewall administrator leaves the organization. The c ontrols now rely back
on just one element—the technology.
How c an the model be used to identify an alternative solution to Figure 3?

This is depicted in Figure 4.

The Internet connection is protected by the deployment of a firewall. Core

elements coverage = 1.

The firewall administrator rec eives specialized training and develops the skill set
nec essary to administer the firewall. Core elements c overage = 2.

Firewall operating standards are written and c ontrols are documented. Core
elements coverage = 3.

The firewall administrator leaves the organization. The c ontrols environment

relies on two of the core elements. The c ontrols, standards, and tec hnology
are doc umented so that the skill and knowledge does not completely leave the
organization. Core elements coverage = 2.

From these examples, it is easy to see how the PPT model c an simplify the
analysis of a risk issue. If the issue is broken down into the three core
elements, action items c an be determined for each core element. In this
manner, control coverage can be moved from one element to two, and
ultimately to coverage by all of the elements.

The PPT model sounds like a very comfortable proposition but during ac tual
implementation, CIO's used to get lost in the framework. This is simplified by
the ESAS tool.

The ESAS repository

ESAS is a Security Knowledge Management tool designed to bridge the gap
between business and technology. It provides organizations with a c entralized
repository of security policies and technical control information. ESAS allows an
organization to effectively c ommunicate sec urity polic ies and c ontrols
throughout the enterprise, and provide the key infrastructure for a suc cessful
Information Security program.

The major objec tives of the ESAS are:

Ensure consistenc y of organizational

security objec tives throughout
operating units
Allow business strategies and goals to
drive Information Security
expresscomputeronline.com/…/M… 3/5
18/07/2009 Defining an enterprise-wide Secur…
Allow an organization to deal with the
changes in both business initiatives
and technology and manage the risk
associated with c hange
Provide a comprehensive set of
security polic ies for the organization
Provide a method to look at
information and tec hnic al systems from a Risk perspective
Provide the methods to implement sec urity objec tives effec tively and
efficiently at a technical level

ESAS is built on a unique sec urity model/Framework (explained below) to

provide flexibility in managing the information.

Understanding the Security Framework

Pric ewaterhouseCoopers' Information Security Framework provides the overall
model for developing comprehensive sec urity programs. The framework
illustrates an enterprise approac h for sec urity.

Key elements, also referred to as the "Four Pillars" to Information Security,

include:

Solid Senior Management Commitment

An overall Security Vision and Strategy
A c omprehensive Training and Awareness Program
A solid Information Sec urity Management Struc ture inc luding key skill sets
and documented responsibilities

Within the four "pillars" of the program, several phases are included.

The first is the Decision

Driver Phase, whic h
contains factors
determining the
business drivers of
security. These include
Technology Strategy
and Usage, Business
Initiatives and
Processes and Threats,
Vulnerabi-lities and
Risk. All these combine
to form a unique
"Security Profile" of the
organization. The
"profile" needs to be
reflected in the Security Policies and Technical Controls.

The next facet of the Information Security Framework includes the design of
the sec urity environment also called the Design Phase. This is the stage where
expresscomputeronline.com/…/M… 4/5
18/07/2009 Defining an enterprise-wide Secur…
the organization documents its security policy, the control environment and
deals with c ontrols on the technology level. A key element in this proc ess is
not only the clear definition of sec urity polic y and technical control information,
but also the "Security Model" of the enterprise. Information Classifications and
Risk Assessment methods fall under this component. These processes allow the
organization to manage risk appropriately and identify the risks and values of
information assets.

The final fac et of the Information Sec urity Framework is the Implementation
phase. This begins by documenting the Administrative and End-User guidelines
and procedures. These guidelines must be succ inct and flexible for the
changing environment. Enforcement, Monitoring, and Recovery processes are
then layered on for the operational support of the security program. These
processes are "where the rubber hits the road". All the benefits of the Sec urity
Program design and documentation is diminished if it is not put into effec t on an
operational day-to-day basis.

Rahaju Pal / Dhawal Thakker are Technical Consultants, Operational and Systems Risk Management
Group (OSRM) PricewaterhouseCoopers. They can be reached at dhawal.thakker@in.pwcglobal.com ||
rahaju.pal@in.pwcglobal.com

expresscomputeronline.com/…/M… 5/5