Protection at All Costs
Coporate data must be tightly secured in a compliance-driven world
- By Patrick J. Conte
- Nov 01, 2007
Ask any security officer what
keeps him or her up at night,
chances are having to deal with
the fallout of a data breach will
be high on the short list. If you scan
headlines over the past year, you can see
why—according to the Privacy Rights
Clearinghouse, since 2005, more than 165
million records from private companies,
government organizations and universities
containing sensitive personal information
have been involved in security breaches.
In response, numerous regulations have
been passed to dictate everything from how
personal data needs to be collected, stored
and transferred, to how and when breaches
are reported. Sarbanes-Oxley regulations
carry consequences ranging from fines to
jail. So what’s a security officer to do?
A Risk-Based Approach
The first thing to do is to understand that
when it comes to data protection—like
other elements of security—there is no silver
bullet. The best thing a security officer
can do is create a strategy that can be presented
to other stakeholders to create alignment
on what data to protect and why.
Since data protection has a huge bearing on
overall corporate risk, taking a risk-based
approach to data protection not only aligns
security with the needs of the business, but
also provides a common language and
methodology that helps the security organization
decide how to protect the data with
greater clarity and justification. For example,
this five-pronged, risk-based approach
to information protection has gained significant
traction with CISOs:
• Priority—Is your organization focusing
on data risks that matter the most to your
company?
• Security—Is your security posture
aligned with your tolerance for risk?
• Cost—Are you spending wisely on data
protection, and can you justify your security
expenditures?
• Compliance—Are you meeting regulatory
and industry requirements efficiently?
• Complexity—How can you reduce the
number and complexity of information
controls without compromising security?
Most executives today must rely on a
combination of disparate systems and manual
processes to address these critical issues.
Having deployed a variety of point solutions,
each operating separately, the organization
is awash in reports and numerous
details about what their data is and how it’s
being managed. That results in unknown
exposures. What they lack is an overall and
consistent view of data security, risk and
compliance, leaving executives to manage
by piecemeal. All these factors contribute to
the CISOs’ lack of visibility and insight into
environments, and to the inability to clearly
solve issues of priority, security, cost, compliance
and complexity.
Setting High Standards
However, all is not lost. A best practices
approach to information visibility and control
is within reach. Implementing best practices
for compliance results in more effective data
management and reduces costs. This riskbased,
top-down approach for protecting corporate
data consists of five best practices:
Best practice 1: Aggregate asset information.
The first step is to collect information
about assets related to the security or
compliance initiative at hand. For example,
for an SB1386 initiative, identify all IT
assets (hardware, software, physical infrastructure
and processes) that affect data collection,
management and storage. Collect
asset information from external systems or
by using asset discovery technology.
Document relationships and dependencies
between various assets. Supplement this
information with vulnerability reports, incident
reports and a threats database. Finally,
classify assets based on criticality to relevant
business processes.
Best practice 2: Adopt a standardsbased
common control framework.
Frameworks or specifications, such as
COBIT for Sarbanes-Oxley compliance or
FFIEC for GLBA compliance, are being
used. Upon examination, there are a significant
number of specific control requirements
that are common across frameworks.
As organizations increasingly have to comply
with multiple regulations, they begin to
use a different framework for each regulation,
resulting in unnecessary complexity
and expense.
Using a common control framework
mitigates the redundancy and, therefore,
the complexity and expense. A common
control framework maps controls from
multiple frameworks and specifications,
such as ISO 17799/27001 or COBIT, to
one common set of IT controls. All compliance
activities are then performed against
this common control set. The common
control framework also maintains the relationship
between a common control and
the corresponding regulation-specific control
in the standard or the specification,
simplifying change management.
Best practice 3: Implement automated
controls testing. Information security risks
are never ending. New vulnerabilities,
threats and attacks are uncovered daily.
Systems keep changing and assets are frequently
added, reconfigured or removed. In
this dynamic environment, organizations are
hard pressed to clearly identify at any given
time which applications or business processes
are most at risk and deserve immediate
attention. Manual approaches to assessing
risk and compliance are inadequate and too
costly to do often. Many technical controls
can be deployed and monitored automatically
on a frequent or even continuous basis.
Integrating the results of automated periodic
surveys with the results of automated technical
controls tests the organization’s risk and
compliance posture.
Best practice 4: Take a risk-based
approach. Assessing risk and using risk metrics
helps organizations achieve their IT governance
objectives of prioritizing and managing
IT security and compliance cost-effectively.
Risk management involves assessing,
monitoring, analyzing and mitigating risk. A
standards-based framework, such as NISTSP800-
30, provides a comprehensive
approach. It consists of three components:
• Risk assessment enables the organization
to assess how critical an asset is to a business
process and determines its overall
risk exposure.
• Risk analysis applies quantitative methods
to calculate risk scores for assets. It
takes into account the state of controls
and asset dependencies, and it integrates
available incident and security information
from external tools and systems. A
single composite risk score for every
asset or asset group can then be calculated
to measure the relative contributions
of assets and groups to the organization’s
overall risk exposure.
• Risk scores help management identify
and focus on assets and risks that represent
the greatest exposure to the organization.
Using relative risk scores, IT management
can optimize allocation of
resources, and mitigate and remedy risk
that matters the most to the business.
Best practice 5: Practice effective communication
and information sharing.
Because IT systems account for a significant
portion of business risk, CISOs are increasingly
connecting multiple stakeholders
across individual business units, geographies
or divisions. Not only do CISOs and their
teams have to maintain quick, comprehensive
and continuous visibility into risk and
compliance status and trends across the
organization, they also need to be able to
present data back in the proper context to
executives and business owners to ensure
they have the support they need for effective
risk mitigation.
Adopting these best practices will provide
CISOs the visibility and insight into
the environment they require and will clearly
map data protection to priority, security,
cost, compliance and complexity. The result
for CISOs is more predictability, more
effective management,
lower cost and a greater
contribution to the business
as a whole.