Sie sind auf Seite 1von 6

Copyright 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Implementing Enterprise Security:


A Case Study (Part 1)
By Ken Doughty, CISA, CBCP
This article is part one of a two-part series. The second part will be published in the Journal volume 3, 2003. Information is an essential asset for organizations because it supports the day-to-day operations and facilitates decision making by key stakeholders. The challenge facing organizations is how to provide access to this asset without compromising its integrity. This asset is received and distributed by the organization through various distribution channels, which are connected by the telecommunications network. These channels include: E-mail Internet Applications (e.g., financial, logistics, retail, property and construction, energy) DBMS (e.g., MS SQL Server, Oracle, DB2, Sybase) Operating systems (e.g., UNIX, Windows/NT 2000) To minimize the risks that would compromise the integrity/security of the organizations information channels and systems requires the implementation of a security framework, supported by processes (and the deployment of tools). However, todays dynamic business environment has resulted in many organizations not providing sufficient resources to maintain an environment that promotes and protects the organizations information assets. Corporate governance now is forcing company boards and executive management to recognize the strategic importance of protecting information assets through effective risk management practices. In a study of Internet hackings, issued by CERT Coordination Center,1 in the US alone during 1998 there were 3,734 reported incidents of hacking. This rose to 52,658 reported hackings during 2001. Unfortunately attacks not only are being carried out by people who are foreign to the organization, there also are many instances where current and former employees have been able to cause business disruption due to inadequate security practices. Although hacking and viruses may be considered the more immediate and greater threat to organizations at present, security exposures in other areas often are not adequately addressed. The education of staff in the control of confidential information is a prime example. Proper security of a laptop computer once it leaves the organizations premises and is in transit, use of personal computers (PCs) by family members where infected data or illegal software may be downloaded, or the sale and release of a company PC without properly erasing company data are other examples. The Information Security Breaches Survey 2002 (ISBS 2002) conducted by PricewaterhouseCoopers in the UK found that: 44 percent of UK businesses have suffered at least one malicious security breach in the past year. The average cost of a serious security incident was UK 30,000. Several businesses surveyed had security incidents that cost them over UK 500,000. 20 percent of the large organizations where an incident occurred took more than a week to get business operations back to normal. 27 percent of respondents to the survey indicated that they had a documented security policy. Only 15 percent of respondents indicated that they were aware of the BS7799 Security Standard, which has been adopted by the International Standards Organization (ISO17799). Only 33 percent of UK web sites have software in place to detect intrusion. Only 51 percent of transactional web sites encrypt transactions passing over the Internet. 19 percent of the organizations that provide remote access have implemented two-factor authentication. This survey again indicates that security still is not being treated by organizations as an investment in protecting their information assets. Rather, for many organizations security is considered an operational overhead and another impediment to doing business.

Case Study
The Organization The organization is a medium-sized organization with a number of outlets spread across a large geographical area. The security across the organization can best be described as having been neglected by past management, and was considered to be high risk. This situational analysis was captured by the organizations internal audit department and supported by the external auditors. The audit committee reviewed its findings, and as a result the organizations information technology (IT) department was directed to develop an action plan to immediately address the deficiencies and implement an information security framework. Setting the Scene Information Technology Environment The organizations IT architecture included: IBM mainframe computers (located in two data centers 20 kilometers apart) IBM midrange computers Storage area network (across the two data centers) More than 300 servers (IBM, Compaq and Sun) Four database management systems (DB2, Oracle, SQL Server and Lotus Notes) Operating systems (AIX, Solaris, NT/Windows 2000 and OS/390) More than 1,000 desktops

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003

Security Environment The security environment included: No dedicated resource/s for information security, only for physical security No approved information security policies No security awareness program No deployment of security software and hardware to facilitate security violation logging, monitoring and reporting No e-mail filtering No URL filtering No intrusion detection system (IDS) No automatic security patches/fixes update to servers and/or desktops including notebook computers IT Culture An organizations culture often is imprinted not only into the management practices, i.e., policy, procedures and directives, but also on its personnel, particularly if the personnel involved in system development, project and operational management have been long-term employees of the business. Without realizing it, these personnel may execute their duties and responsibilities in a form and manner that is consistent with the corporate culture, rather than with generally accepted industry practice. The IT organizational culture had developed over many years with IT as the strategic driver. This meant that the culture was not customer-centric, and lacked the entrepreneurial and commercial acumen that is required to drive the business forward. Security Strategy A strategic and tactical approach was undertaken to address security, to lock down the environment within a short timelinesix months (per the CEO directive). The resources available for deployment were constrained by the previous years budget allocation; therefore, a cost-effective and value-added approach was required. Consideration was given to fully implementing ISO17799. However, the estimated cost was prohibitive and could not be implemented within the timeframe. Therefore, the strategy was to implement the critical elements of ISO17799 without the cost inhibitor and within the timeline. The strategy also had to take into consideration the need for the continued delivery of the day-to-day IT services to the business. Executive management approved the strategy before its execution. This support was critical to facilitate implementation and future ownership of security by line management. Tactical Strategy A security project was established with a dedicated project manager. The organization had recently implemented a corporate project management methodology that was based upon the Project Management Institute (www.pmi.org) guidelines. This was the first IT project to utilize the project management methodology. A tactical plan was developed to divide the implementation of security in five phases: Organizational (i.e., policies and processes) Operating system Database management systems (DBMS) Telecommunications Access securityinformation assets

Security Tactical Framework

Operating System Security Organizational Security Telecommunication Security

DBMS Security

Access Security Information Assets

Organizational Security The first action taken was the appointment of a dedicated resource for data security. The data security officer (DSO) initially reported to the CIO until the core security measures were implemented. Then, the position was transferred to an IT operational executive. One of the first tasks undertaken by the DSO was the collation of all the security audit reports for the past two years and consolidation of the issues into an access database (security register). The security register was to become the depository of all security issues and the DSO was accountable to add, follow up on all outstanding actions, close out and report on the status of security issues in a timely manner. To ensure that security patches/fixes and alerts were identified for action, the DSO subscribed to a number of security alert services and other security-related web sites (see appendix 1). In addition, a high-level gap analysis was undertaken to identify and analyze the gap between current organization security management practices and the ten security management criteria listed in the ISO17799 standard (see appendix 2). The areas identified that were considered to be deficient included: Security policiesThe gap analysis immediately identified that the current information security policies needed to be revised. The existing policies had been placed on the organizations intranet; however, the policies had not been approved by the CEO or promoted throughout the organization so that all staff knew their accountability regarding security. The following policies were identified as having the greatest impact and requiring immediate attention: Information security policy E-mail usage policy Internet usage policy Remote access policy The DSO, with the support of experienced and senior IT staff, revised the previously mentioned policies taking into consideration security policies of best practice organizations and ISO17799. The newly revised security policies were submitted to the IT steering committee, which was established by the CIO for review and endorsement before final approval by the CEO. These revised and approved policies were included in the planned security awareness program.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003

Security StandardsThe gap analysis identified that there were no security standards for hardware and software configuration. Upon further investigation it was found that: There was no configuration database to assist in the ongoing operational support of the infrastructure. Little or no documentation of current configuration settings existed. The existing processes were unable to completely and accurately identify, monitor and report upon IT assets. The asset records were not up-to-date. An action plan (included in the security register) was developed to address the deficiencies identified by the gap analysis. At this time, the organization was implementing a systems management software product to assist in providing IT operational support to its network. As part of this implementation the project scope was expanded to include the development of a configuration database that was compliant with the Information Technology Infrastructure Library (ITIL)2 model (see appendix 1). The implementation of the system management software was the catalyst to implement ITIL for: Incident management Problem management Change management Following the implementation process set out in this article, the remainder of the ITIL model progressively was to be implemented over the subsequent eighteen months. IT assetsAn IT asset audit was undertaken to identify all of the assets and to determine the current security configuration. The audit found: 47 percent more servers than asset records indicated No record of routers, hubs and other communication devices 300 percent more desktops than asset records indicated A number of storage rooms filled with retired hardware (e.g., PII PCs, printers, various hardware components, software). In one storage room, three large top-end Compaq servers were identified still in their packing cases unopened. It appears that they were purchased for a project, that was later cancelled. Varying setup configurations for network devices (e.g., routers) Varying configurations across the range of servers, desktops and notebook computers (i.e., no standard operating environment or SOE) The action plan to address the deficiencies (included in security register) identified by the IT asset audit included the establishment of a working party. The objectives of the working party were to: 1. Develop the configuration standards based upon best practice for hardware and installed software across the three towers: Mainframe Midrange Server/desktop Following detailed testing (sociability) to ensure that there were no conflicts that would impact the delivery of services to the business, the configuration standards were deployed across the three towers. The configuration database established within system management software was updated to reflect the deployed configuration settings. Change management processes were enhanced to ensure that any changes in configuration were updated in the configuration database.

2. Reconcile the differences between the IT asset audit results and the organizations financial records. Reconciliation of the IT asset audit results and the organizations financial records found a large discrepancy. The majority of the discrepancy was due to the lack of processes to update the financial records for disposal of IT assets. 3. Develop processes to ensure that IT asset records were maintained up-to-date by the utilization of the system management software (including an interface to the financial system). Processes (workflow) were developed to automate the maintenance of the IT asset records (from purchasing through to disposal). This was supported by a rolling stocktake of IT assets by the desktop IT support team. Security processesFor the existing security processes, the gap analysis identified a number of weaknesses including: A lack of communication (coordination) between the IT department sections Little or no documentation of processes Heavy reliance on individuals to notify the IT department to remove employees and/or contractors from the various systems (including remote access) upon cessation of employment or contract No regular follow-up to ensure that users with remote access still required this facility No regular verification with application owners that users access privileges were appropriate for their role and responsibilities No regular update of the latest security patches/fixes to desktops and notebook computers, including computers provided by the organization to users at their homes An action plan was developed to address the deficiencies (included in security register) identified by the gap analysis. One of the critical tasks to address the security weaknesses was to identify and select an automated tool that would assist in the download of security fixes/patches to the server/desktop platform. After detailed evaluation a software product was selected to automate the download of security fixes/patches to the server/desktop platform operating systems. Security awarenessFor security awareness the gap analysis identified that there was: No regular program to keep users informed of their accountability for their user IDs, passwords, etc. Little or no dissemination of information on security policy, standards, guidelines or processes No security information included as part of the employee/ contractor induction program to the organization or when user IDs were issued A security awareness program was developed with the assistance of an external consultancy firm. The security awareness program included a number of initiatives: Development of a security intranet site: The intranet site included links to the security policies, standards, guidelines and processes. How-to series: How to choose a good password How to virus scan How to work at home securely How to avoid careless talk How to protect a laptop How to be secure at work Design and publication of a poster series that was attached to notice boards throughout the organization. The posters

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003

were changed on a regular basis (every three months) to keep the security theme fresh. Development and presentation of PowerPoint slides at a series of security awareness workshops by the data security officer Targeting executive and line managers to attend the workshops to receive security awareness packs Preparation of security awareness packs to be issued at the security awareness workshops. The packs included: Copy of the security policies Copy of how-to series Mouse pads with a security theme (see appendix 2) Instructions for executive and line managers: The instructions required the security policies to be distributed to each staff/contractor under their supervision. The security policies were to be read by all staff/ contractors and their signatures obtained (on a listing provided by the organizations human resources department) acknowledging that they had read and understood their obligations and accountabilities in terms of the policy. An evaluation form was prepared to provide a feedback mechanism to measure the effectiveness of the workshop presentations. Further, an analysis of the number of hits to the security intranet was performed to assist in determining the success of the program. Based on this information, additional strategies were developed to continue the promotion of security awareness within the organizationthe keeping alive program.

Infosyssec, the security portal for information system security professionals, www.infosyssec.net/infosyssec/index.html Intelligence and Security Resource Directory and links, www.members.home.net/albeej/pages/Intelligence.html Intelligence Online, the latest political and business intelligence news, www.intelligenceonline.com/ IT WorldUNIX Insider, www.itworld.com/Comp/2378/UnixInsider Network Computing, www.nwc.com Network Fusion, network and security issues with other related links and white papers, www.nwfusion.com/index.html Politics and intelligence sites, www.dspace.dial.pipex.com/town/plaza/hd27/pers/intell.htm Security Focus, www.securityfocus.com Security Management On-Line, www.securitymanagement.com Security National News Center, www.metases.com Security News Portal, www.securityinfoportal.com/infosyssec/addnews.html Security Portal, www.securityportal.com Security Search, The Internet Security Resource, www.securitysearch.net TechRepublic, www.techrepublic.com/index.jhtml?_requestid=284 Windows and .NET Magazine NetworkSecurity Administrator, www.ntsecurity.net Mailing Lists CERT (Computer Emergency Response Team), www.cert.org Computer and Internet Security Resources, www.virtuallibrarian.com/legal/ccmailing.html Computer Privacy Digest, www.uwm.edu/Org/comp-privacy/ FAQs, frequently asked questions on IT security, especially UNIX, www.faqs.org/faqs/computer-security Internet Security Systems Alerts and Advisories, bvlive01.iss.net/issEn/delivery/xforce/alerts.jsp Neohapsis archives and lists, contains numerous security and audit mailing lists including SANS and network computing alerts, www.archives.neohapsis.com Risks Digest, a forum on risks to the public in computers and related systems, www.catless.ncl.ac.uk/Risks/20.62.html US and Canadian Governments Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, US Department of Justice, www.cybercrime.gov Computer Incident Advisory Capability CIAC, US Department of Energy, www.ciac.llnl.gov National Institute of Standards and Technology (NIST), an agency of the US Commerce Departments Technology Administration, www.csrc.nist.gov Safe Harbor, US Department of Commerce, www.export.gov/safeharbor US Government Computer News (GCN), www.gcn.com/index.html

Part 1Conclusion
Corporate governance is forcing organizations executive management to address enterprise security. The challenge for organizations is how to implement enterprise security without compromising integrity while providing assurance to executive management. In part 2 of this article, which will be issued in the Journal volume 3 2003, the case study will pick up with an analysis of how this organization implemented enterprise security, particularly: Operating system security Database management system security (DBMS) Telecommunications security Access securityinformation assets

Appendix 1 Internet Resource Links


News, Magazines and Resource Links CNN.com computing, www.cnn.com/tech/computing Computer Crime and Intellectual Property Section (CCIPS), an up-to-date site listing computer intrusion cases prosecuted in the US and including case details, damage and punishment, www.cybercrime.gov/cccases.html e-commerce Times, www.ecommercetimes.com/news Gartner Security & Privacy, www4.gartner.com/ 1_researchanalysis/focus/security_fa.html High Tech Crime Consortium, www.hightechcrimecops.org/links.htm Information Security Magazine, www.infosecuritymag.com InfoSec and InfoWar Portal, www.infowar.com

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003

US National Criminal Justice Reference Center (Justice Department), www.ncjrs.org/alphtitl.html US National Infrastructure Protection Center, www.nipc.gov US National Security Agency, includes US government policy on IT information, data, cryptoplogy, etc., www.nsa.gov US Office of the National Counter Intelligence Executive, the Computer Security Resource Center within the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST), www.ncix.gov/pubs/index.html Associations and Organizations Anti Virus Information Exchange Network, www.avien.org Applied Computer Security Associates, www.acsac.org/acsa Association for Computing Machinery, www.acm.org Better Business Bureau Online, www.bbbonline.org/businesses Center for Internet Security, www.cisecurity.org CERIAS, a center for multidisciplinary research and education in areas of information security, Purdue University, www.cerias.purdue.edu CISSP OSG, the Certified Information Systems Security Professional study site, www.cccure.org Coalition for the Prevention of Economic Crime, www.ncpec.org Communications Management Association (CMA), www.thecma.com Computer Security Institute, www.gocsi.com Cotse, The Computer Professionals Reference, www.cotse.com/home.html Critical Infrastructure Assurance Clearinghouse, a cyberdiscussion group, www.ciac.com CyberAngels, www.cyberangels.org Cyberspace Policy Institute, www.cpi.seas.gwu.edu Federal Information Systems Security Educators Association, www.csrc.nist.gov/organizations/fissea/index.html Financial Services Technology Consortium, www.fstc.org Global Internet Project, www.gip.org HackerWatch, an antihacker online community, www.hackerwatch.org Human Firewall, www.humanfirewall.org/csiconference.htm Information Assurance Advisory Council (UK), www.iaac.org.uk Information Security Interest Group (ISIG), www.isig.org.au Information Systems Audit and Control Association (ISACA), www.isaca.org Information Systems Security Association (ISSA), www.dev.issa.org Information Technology Association of America, www.itaa.org Institute of Communications, Arbitration and Forensics, www.theicaf.com/index.htm Institute of Internal Auditors (IIA), www.theiia.org/iia/index.cfm International Crime Prevention through Environmental Design (CPTED) Association, www.cpted.net International Centre for Security Analysis (ICSA),

www.icsa.ac.uk/Main/home-frame.htm Internet Engineering Task Force, www.ietf.org IT Governance Institute, www.ITgovernance.org Joint Security Industry Council (UK), www.psiact.org.uk/index.htm National Colloquium for Information Systems Security Education, www.ncisse.org National Electronic Authentication Council (NEAC), www.noie.gov.au/projects/consult/NEAC/index.htm Open Mobile Alliance, www.wapforum.org Privacy Foundation, www.privacyfoundation.org/index.cfm Project Management Institute, www.pmi.org/standards/ standardsettingprocedures.htm SANS Institute, www.sans.org TRUSTe (privacy resource site), www.truste.org/index.html 21st Century Money, Banking & Commerce, highlights financial services developments and trends, including new structures for transactions and ventures, the growth of electronic banking and e-cash, that will shape the future of banking, www.ffhsj.com/bancmail/bancpage.htm Standards BS 7799 c-cure Site, UK Information Security Management Standard, www.c-cure.org European Telecommunications Standards Institute (ETSI), www.etsi.org International Standards, www.isostandards.com.au Standards Australia, www.standards.com.au UK Computer Laws and Regulations, www.ja.net/cert/ JANET-CERT/regulation General Interest Accessibility.com, a disability resource link, www.accessibility.com.au/sydney/links/vision.htm AntiOnline, www.antionline.com/index.php Cartome, www.cartome.org Common Vulnerabilities and Exposures (CVE), a list of standardized names for vulnerabilities and other information security exposures, cve.mitre.org/about/ Computer Forensics, www.computer-forensics.com Cryptome, www.cryptome.org Dshield, Distributed Intrusion Detection System, www.dshield.org Elsevier Science, www.elsevier.nl/homepage/#top Honeynet Project, a nonprofit research group of 30 security professionals dedicated to information security, www.project.honeynet.org Information Warfare Research Site Australia, www3.cm.deakin.edu.au/%7Evstagg/infowar/

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003

Internet.org, the Internets Threat Monitor, www.incidents.org IT Security Awareness, Carnegie Mellon, Software Engineering Institute, www.sei.cmu.edu/publications/ documents/99.reports/99tr017/99tr017abstract.html Lances Security Whitepapers, www.enteract.com/~lspitz/pubs.html National Fraud Information Center, www.fraud.org Native Intelligence Inc., www.nativeintelligence.com SecuritySearch.NetThe Internet Security Resource, www.securitysearch.net Spam Cop, www.spamcop.net Special technical sitePort Numbers and Assignments, www.iana.org/assignments/port-numbers Spyware, a PC surveillance reference site, www.geocities.com/snapshotspy Technical Surveillance Counter Measures, www.tscm.com Vmyths.comTruth About Computer Virus Myths and Hoaxes, www.vmyths.com Web Accessibility Initiative, www.w3.org/WAI/ World Information Technology and Services Alliance (WITSA), www.witsa.org/papers/cip.htm

5. Physical and environmental security Objective: To prevent unauthorized access, damage and interference to business premises and information 6. Communications and operations management Objective: To ensure the correct and secure operation of information processing facilities 7. Access control Objective: To control access to information 8. Systems development and maintenance Objective: To ensure that security is built into information systems 9. Business continuity management Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters 10. Compliance Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual

Endnotes
The CERT Coordination Center (CERT/CC) is a center of Internet security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. 2 ITIL (www.itil.co.uk) is a series of best practice guidelines in IT service management.
1

Appendix 2
Extracted from ISO17799, Information TechnologyCode of Practice for Information Security Management. 1. Security policy Objective: To provide management direction and support for information security 2. Organizational security Objective: To manage information security within the organization 3. Asset classification and control Objective: To maintain appropriate protection of organizational assets 4. Personnel security Objective: To reduce the risk of human error, theft, fraud or misuse of facilities

Ken Doughty, CISA, CBCP has over 20 years experience in information technology auditing, both in the public and private sectors. He has an accounting, degree and post-graduate qualifications in internal auditing. He lectured part-time at University of Technology, Sydney (Australia) and has had a large number of papers published in auditing and business continuity journals including a book on business continuity. Doughty was a recipient of ISACAs John Kuyers Best Speaker Award for 2002. Copyright K. Doughty 2002

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2003

Das könnte Ihnen auch gefallen