: Assessment"> Security Step 1: Assessment By Peter Coffee In the year that followed the initial publication of eWEEK Labs "Five steps to enterprise security" in November 2001, there was a firestorm of reaction to the accounting abuses revealed in the aftermath of the Enron bankruptcy in December of that same year.Climate change Notably, Californias Security Breach Information Act, aka SB 1386, applies to any company with even a single California customer. It mandates broad notification of any apparent leakage of unencrypted "personal information," defined with admirable specificity as an individuals first name or first initial and last name in combination with any one or more of the following: a Social Security number, drivers license number or ID number, or financial account number in combination with an associated security code or password. Following its effective date in July 2003, SB 1386 has necessitated costly and embarrassing public acts of self-humiliation by state agencies, financial institutions, retailers, educational institutions and other employers. The overall effect of SarbOx, SB 1386 and similar measures in other states is that inattention to enterprise security now has a clearly marked price tag for senior managers. If IT security is lax, theyll spend a lot of money admitting it. If they dont come clean about what they do and how, they could wind up facing fines or even jail time. Either way, their stock options will take a beating as the market punishes a tarnished public image with share price markdowns. Infrastructure risk assessment is no longer an unpopular exercise in looking for leaks in the roof when the sun is shining. Its now understood as an essential element of due diligence, a piece of the practice of being a going concern that wants to stay that way. The resources made available and the respect and consideration for the people doing the work appear to have markedly changed for the better in the past five years. So easy to do it so wrong That said, there are uncountable ways to enact the form of risk assessment and abatement while utterly failing to deliver the substance. Pre-9/11 and pre-Enron, the stakeholders for IT security were primarily internal-operators who needed to ensure facility uptime and in-house users who needed access to applications and confidence in the quality and protection of data. The environment now demands far more attention to external stakeholders and scrutineers. This change has taken place rather quickly, even by the standards of the fast-paced IT sector: Technology-centered professionals still are all too likely to be thinking in terms of IT asset protection, ensuring that servers are not taken down and applications are not taken out of service, while failing to appreciate the data-centered and business process-centered viewpoints that the worlds top spooks now urge upon security practitioners as the best vantage points for assessment. In the post-9/11 world, the name of the National Security Agency can actually be mentioned in a mainstream conversation without triggering nervous jokes about "No Such Agency" (its former nickname) or the "Maryland Procurement Office" (the NSAs innocuous nom de guerre for purchasing its plethora of high-tech tools). Indeed, the NSA has come into the public spotlight as a center of excellence for security technique: Frameworks such as IAM-whose dueling spellouts are the NSA Information Assurance Methodology and Infosec Assessment Methodology-are widely published and taught. IAM includes a notion of "impact attributes" that enterprise professionals will do well to embrace and understand. Core impact attributes often are listed as confidentiality, integrity and availability, all of which are essential to anything deserving the name of a secure infrastructure. In fact, these attributes represent a three-legged stool that will fall if any of those legs is unsound. Brace for impact Specific organizations and missions may have other infosec attributes that must be achieved and preserved. Security Horizon has produced an NSA IAM guide (released by Syngress Publishing in 2004 as a book titled "Security Assessment"). The guide suggests such possibly relevant attributes (given here with eWEEK Labs suggested definitions) as:
Accountability. Who introduced what information or made what changes or took what action?
Nonrepudiation. Who made what commitments, and how can others prove it?
Authorization. Who has permission to take what actions? Who granted that permission? What combinations of permission should not be allowed?
Audit. What actions were provably taken based on access to what information? By whom? When? From where?
Access control. Which entities have which specific modes of access to which resources, subject to what policies?
Rather than offering a predefined list, however, the authors of that guide are making the more general point that stakeholders should be asking questions about the types of information that are important to an organization; they should annotate the resulting list with the characteristics that define their own mission-specific, type-specific standards of what it means for that organizations information needs to be securely met.
Any idiot can conjure up a threat level or risk index or other gross measure of a security situation. Absent detailed discussion, not at the level of IT assets but at the level of key processes and the impact attributes that go with them, gross measures are worse than useless-they convey a false sense of knowing whats going on.
Enterprise managers need something better, and infrastructure professionals have never had better leverage to pry loose the resources needed to provide it.
Best practices: Assessment
Concentrate on information types: Define these not by the applications that produce or use them but by the business processes that originate, consume and modify them.
Look at actual usage and dependency: Be discriminating about who needs to confirm that something is known, who needs to know it, who needs to be able to alter it and who needs to authorize others to do any of these things.
Identify mission-related attributes of security: Confidentiality, data integrity, nonrepudiation, auditability and other characteristics have varying importance in different situations.
Next Page: Step 2: Prevention
In September 2006, on the fifth anniversary of the 9/11 terrorist attacks, members of eWEEKs Corporate Partner Advisory Board told eWEEK that the impact of those attacks had been far more evident in new physical security measures than in any elevation of the IT security posture. What had most changed their IT environment, said many of the Corporate Partners, was the post-Enron impact of sweeping and pervasive legislation such as the Sarbanes-Oxley Act and of other enterprise governance mandates, along with public awareness of privacy threats and risks of identity theft.