An Arrow Pointed at the Heart of Your Enterprise: Part 1

I was on a contract recently where the CEO of a Fortune 50 Company wanted to install XYZ program on his Blackberry. Apparently he had been to some conference or other and was quite impressed with a program that other CEO’s had on their Blackberries. And what they had, he had to have. Thus was born the project to install program XYZ on all C-Level executives Blackberries. My part in this process was to perform the Risk Assessment and present this report to business unit that “owned” the Blackberry for appropriate Risk Control Measures.

Like most IT folks, I considered myself fairly knowledgeable about Blackberries[1], having carried one for a large part of my professional career. But I was in for a huge awakening when I started doing my research into Research In Motion (RIM), its Blackberry product line and the Blackberry Enterprise Server (BES). As I began the research into known vulnerabilities regarding the Blackberry it became very apparent very quickly that I didn’t know nearly as much as I thought I did. What follows is a high level technical overview of the Blackberry

Communications are encrypted end-to-end, from the user’s handheld device all the way through to the inside of the organization’s firewall. RIM has done an outstanding job of encrypting this tunnel with either Triple DES or AES. This very strength is what security researcher Jesse D’Aguanno of Praetorian Global[2] was able to exploit when he presented a vulnerability demonstration at Defcon in 2006. By uploading a specially crafted program to a users Blackberries, he was able to turn the handheld device into a proxy server. Since the Blackberry bypasses all of the organizations typical border protections and exists logically on the organization’s most trusted network segment, it could be used as a proxy by a hacker to access any unsecured asset on the LAN. If this connection were compromised, it would be impossible to detect. The very best scenario would be that sensitive or classified information was detected going from a server to the CEO’s Blackberry. However, what IT person would question the CEO’s need to access this data? And in the worst case scenario, data would leave the organization through this encrypted back channel for years, until the CEO upgraded the Blackberry.

Most users of Blackberries and similar PDA’s think of the device as simply a “cell phone on steroids”. Nothing could be more wrong. The latest generation of Blackberries use an Intel XScale processor which can perform almost as fast an a Pentium III! Couple this fact with 64 MB of RAM and this little device easily qualifies as a mobile computer. But I would venture to bet that none of the business users who routinely use these devices think of them as such. And therein lies the problem. If a handheld device were to be compromised, this would allow the attacker a protected tunnel directly into the very heart of the organization.

In the almost 2 years since the Defcon presentation, the field of PDA suppliers has burgeoned from a handful to well over a dozen. And with each manufacturer and service provider vying for “ease of use” and more features than the competition, security concerns fall by the wayside. As an example, the majority of these handheld devices ship with Bluetooth enabled. As long ago as 2006 several investigators were able to “hack” Bluetooth cell phones and PDA’s from over a mile away! There is even a special device for such long range hacking called a Bluetooth Sniper Rifle. The author of one particular online article pointed his Bluetooth rifle at an office building in downtown Los Angeles and remarked “This building is full of Bluetooth! Look we got some Blackberries!” While it is true that newer cell phones and PDA’s have become harder to hack it is also true that hacking tools have become much more sophisticated. Nico Darrow is the author of the article Bluetooth Security Risks in Business which was published less than a month ago. In this article he says “We are now seeing complex Bluetooth hacking tools becoming available to the public.” A quick search on You Tube looking for “Bluetooth hacks” yields almost 200 hits. In addition to hawking a particular piece of hacking software they also give step by step tutorials on exactly how to exploit cell phones, PDA’s and Smart Phones. In a McAfee’s annual report on Mobile Security for 2008 they state that “94% of all mobile users do not have mobile protection software on their mobile devices.” And with worms like Beselo propagating among the SymbOS community, security professionals need to be on the alert.

RIM is among the better companies at securing their PDA’s, but is by no means immune from the malware challenge. Most PDA’s and Smart Phones do not protect data “out of the box”. For this reason a thriving market exists for third party security software. But this problem is larger than can be fixed by simply installing encryption software. What is needed is a well planned training program for the business users who depend on these devices. Users from the Ceo the the newly hired sales person must understand that today’s PDA’s and Smart Phones are more than just a “cell phone on steroids”. They are full blown computers with connections to the private LAN and need to be secured as such. Unfortunately training budgets are usually the first casualty when IT budgets get trimmed, but some problems can only be fixed by educating users. And the threat posed to PDA’s, Smart Phones and similar devices is one such instance.

Next Installment: Current Threats to PDA’s and Smart Phones (and how to protect your user community)

---

[1] While I refer to the Blackberry PDA by RIM throughout this article, I am sure that any of the other modern PDA’s could just as easily be substituted. However, all the technical details along with particular exploits mentioned are specific to the Blackberry.

[2] Due to a limitation of Ezine Articles, I cannot include all of my references here. A complete list can be found at:
www.ultimatecomputersecurity.com

10761-080820-247420-81


© 2008 All Rights Reserved.

Due to limitations at Ezine Aticles I cannot include all of the sites I used as refernces for Part 1 of my Article "PDA's: an Arrow Pointed at the Heart of Your Organization". Below are those refernces:

[1] Praetorian Global has the actual attack toolkit downloadable here: http://www.praetoriang.net/projects.html

[1] Intel Xscale Microarchitecture Document, Intel Corporation, Copyright 2000

[1] http://www.boingboing.net/2005/03/13/howto-build-a-blueto.html

[1] http://www.informit.com/articles/article.aspx?p=1193476

View Chaz Sowers CISSP, CISM, QSA's profile

Free (Almost) HIPAA Compliance

HIPAA was the first drop in what has become a regulatory deluge. Twelve years ago Congress enacted a law that which on the surface aimed to give Americans more control over their health care data, but which actually was the first law mandating standards for securing data. A flood of regulations followed: Sarbanes-Oxley (SOX), The Patriot Act, FISMA, FFIEC, FDA, COOP/COG, Basel II, GLBA, PCI, etc, etc. With each new piece of legislation, the regulations became more refined and better defined what was expected of Information Technology (IT) professionals. Lost in this blizzard of sometimes conflicting governmental regulations is the standard that started it all: HIPAA. While it is true that HIPAA is more of a “guideline” than a “mandated standard” as far as IT is concerned, the benefits of compliance should not be overlooked. In fact, compliance with HIPAA standards can be a very easy task if the organization has implemented an over arching security framework and has been forced to comply with one of the other previously mentioned regulations.

Businesses do not exist in a vacuum and neither does the data they use and create. It would be a difficult undertaking these days to find an organization of any size that is not forced to comply with at least one regulatory body (and larger organizations must comply with a half-dozen or so). HIPAA has often been put on the back burner, even at large national health care organizations, because the fines associated with non-compliance pale when compared to other statues. For example, the maximum HIPAA fines are $100 per individual per instance up to a maximum of $25,000 per institution per year. SOX legislation by comparison carries the very hefty threat of 20 years in Federal Prison, and up to $5 million dollars in fines. Naturally, organizations pushed hard to become SOX compliant, even though this legislation post dates HIPAA by 6 years. The positive fallout is that most of the IT work previously done can be leveraged in getting an enterprise HIPAA compliant. SOX and PCI compliance have been the 2 major driving factors in the non-financial sector over the past few years and, while each is unique and distinct, they both have “industry best security practices” at their cores. And these very same best practices are what we will leverage in our HIPAA work.

Most organizations have already gone through at least one iteration of information security evaluation. In the hands of a skilled and certified IS professional, data from one compliance audit can be re-used and dramatic cost savings realized. Of course, certain aspects of a HIPAA compliance audit are unique and work in these areas may need to be performed. But depending on which previous IS examinations have taken place, and the availability of this information to the IT staff, performing a HIPAA compliance audit can be easy, almost free and well worth performing.

Mindteck has personnel with experience at performing HIPAA audits since 1996. We are expert at providing value to our clients while at the same time being conscience of their financial constraints. Using activities already performed and lessons learned, Mindteck personnel work hand in hand with the client’s IT staff toward the common goal of getting the enterprise compliant. Using proprietary software and methodologies, Mindteck staff can bring value to your HIPAA compliance endeavor and see your project to a successful conclusion.

77216-080820-689293-47


© 2008 All Rights Reserved.

© 2008 All Rights Reserved.

Aligning IT Control Frameworks:

CobiT, ISO17799 and ITIL


Executive Summary

Organizations are adopting Best Practice policies to govern their IT Departments at an ever growing rate. However, if this process is done piece-meal, or hap hazard more harm can be done than good. And if the organization faces regulatory compliance, the very real concern exists that they may fail the audit even after they a large investment of time and money. The purpose of this, the third paper in this series, is to provide the IT Manager with a practical guide to implementing Security Frameworks. For this paper, we assume that Management has chosen CobiT as the IT Control Framework and that ITIL or ISO17799 (individually or together) have been chosen as the Security Methodologies. This paper takes these decisions and attempts to show how to implement them together. Here is what happens “when the rubber hits the road”.


Introduction

Executive management has decided on CobiT as the IT Control Framework for the organization. Perhaps they even chose a Security Methodology, like ITIL or ISO17799 (soon to be renamed ISO27001). Or perhaps they even “delegated” the responsibility of making CobiT work. Either way there’s no need for concern. This paper will take you step by step through the process of implementing Security Methodologies within CobiT.

Contrary to what many so called “experts” in this field say, CobiT is an IT Control Framework. As such, it deals with large, enterprise wide areas. It maps business processes to IT and overlays a structure how IT can better meet help the overall organization. But CobiT does not actually provide the Security Methodology component necessary for implementation. For this we need ITIL and ISO17799. There are other methodologies that try to address the entire spectrum of IT Security, but these 2 fit together well and provide a very tight security implementation.

Why ISO17799 and ITIL together?

Probably the first question on your mind is, “Do I have to implement 2 Security Methodologies? Isn’t there one that does the same thing?” The simple answers are: “yes” and “yes”.

The more in depth answers to the above questions cut right to the very heart of the current IT Control Framework/ Security Methodology quagmire. There are currently over a dozen (perhaps as many as 20) different Frameworks and Methodologies. They come from all over the world, from government agencies and from private organizations, with varying degrees of maturity, implementation and market acceptance. And of course there is a LOT of overlap. After all, best practices are best practices regardless of who’s Framework they are included in. But no one Security Methodology covers all the possible problem areas within IT; the best available today cover roughly 70 – 75% of IT security issues. Whether by conscious omission, or because of the length of the revision cycle, most of the Methodologies don’t even mention Malware, Root Kits or any other of the latest security scourges. This is why a combination of 2 complementary Methodologies provides the best implementation option currently available. And choosing ISO17799 and ITIL, brings the added benefits of:
• international acceptance
• auditable
• certification
• complete IT coverage
• frequent revisions to the Methodologies
• training
• easily maps to regulatory audits (especially SOX)
• mature methodologies
• consulting firms with experience with these standards
• vast quantity of published information
• wide international adoption

ITIL and ISO17799 are not as odd a pairing as you at first believe. Both standards owe their origins to agencies of the British Government, ISO1779 was BS7799 and ITIL used to be BS15000 (developed from the CCTA standard). While ISO17799 deals with best practices for information security, there are some noticeable holes in the ISO coverage. For example, ISO17799 has no method to report to monitor the CobiT Control Objective PO9.1 (Business Risk Assessment). All tolled, there are 46 CobiT Control Objectives that are not handled by ISO17799 alone, but that which are covered by ITIL . The major areas of weakness in ISO17799 happen to be the strengths of ITIL, namely IT service and support.

ITIL (the Information Technology Infrastructure Library), as the name implies, has a vast number of books, publications and articles in its library. While the sheer size of the library may at first seem daunting, each ITIL service delivery process is divided into its own category with its own associated publications. The title “Introduction to ITIL” currently sells for about US$65 (but the price fluctuates depending on the exchange rate to the British Pound) . Other titles in other disciplines more expensive but none appear to be outrageously priced. There is also a new category called “ITIL - Small Scale Implementation” which was written and released in January of 2006. This publication (also available for US$65) provides an “adapted ITIL approach to delivering an improved service, using all aspects of the guidance tailored to the smaller implementation.”

Acceptance of ITIL in the United States has lagged behind the rest of the world. However, this situation is changing quickly. A study by Evergreen Systems of over 100 attendees at the 9th Annual International IT Service Management Conference in 2005 found 75% of respondents planning to spend money on ITIL implementation within the next 6 months. Many enterprises in the US see ITIL simply as a method to improve Help Desk services, and bring them compliant with CobiT controls. ITIL can of course be applied to a specific area like help desk. However, ITIL is a much more full featured and robust framework with over 8 areas devoted to improving IT service management. Service modules such as: ICT Infrastructure Management, Application Management, Security Management, Software Asset Management and Business Perspective give ITIL a very broad coverage area.

In order to implement a Security Framework at an organization using a predetermined Security Framework, some "customization" must be done. In our particular case, we will be customizing 2 frameworks, with most of the "tailoring" being done to ITIL solely because it is more flexible than ISO17799.

Implementation and Customization


Begin your implementation of the Security Framework by reading and taking appropriate notes on the ISO17799 standard. Because each organization is different, the various sections of ISO17799 will apply differently. Some sections may not apply at all while others may be overflowing with appropriate recommendations. While the ISO document is far from being the most difficult technical document that IT managers are likely to read, a company called Praxiom has taken the ISO standard and "simplified" it. Their website even offers a sample document complete with checklist and start/finish dates. While this approach might not appeal to every IT manager, we like their approach for shops that are over-worked and under-staffed because it eliminates several steps that would otherwise be performed by staff members.

Once

76270-060531-679833-46


© 2006 All Rights Reserved.

Summary of ISO17799

Asset Classification and Control (ISO17799 Section 3)
Information should be classified to indicate the need, priorities and degree of protection.
Security classifications remain with the document’s author
“Classified data … should be labeled in terms of its value and sensitivity…” and if it is sensitive or critical, it should carry an appropriate classification label.
“Physical labels are most appropriate”



Personnel Security (ISO17799 Section 4)
“Should be addressed at the recruitment stage”
Security policies should be included in job descriptions
Checks on permanent as well as temporary staff should always be carried out
IT workers should sign a ND agreement and should continue after the employee leaves
Security breaches should be reported as quickly as possible
Users should be required to report observed or suspected weaknesses
Report software malfunctions
Violations of company security policy should be disciplined
Users should be trained on proper security procedures, legal issues and business controls


Physical Security (ISO17799 Section 5)
Critical or sensitive facilities should be located in secure locations
Perimeter security must be overlapping and complementary
Other people should not be made aware of the activities within a secure location
In-house computer equipment should be housed separately from 3rd party managed equipment
Visitors to secure locations should be supervised and time in and time out should be noted
Access to computer and communications rooms “must be restricted to authorized staff only”
Visible ID should be worn
Immediate revocation of access rights for employees who no longer work in that area
Access rights should be reviewed
An isolated area should exist for loading; should have an inner and outer door
Employees should not take software, data or equipment offsite
Equipment should be physically protected from threats (fire, EMF, dust, water, etc)
Equipment with sensitive data should be located away from high movement areas and situated
to minimize the risk of “shoulder surfing”
Equipment should be protected from electric power fluctuations and outages
Power cables should be separated from data cables to prevent interference
Network data cables should be run inside conduit to prevent interception and cable runs should
avoid public areas whenever possible
For extremely sensitive areas: armored conduit, fiber, data encryption (?), sweeps for rogue
devices
Adequate insurance coverage should be in place
Storage media should be physically destroyed


Communications (ISO17799 Section 6)
Procedures and appropriate responsibilities should be in place for IT
Procedures should include detailed steps for each job function
Incident management procedures should be established
Segregation of duties
Separate development and operational facilities
If external contractors will be used, determine beforehand which processes to handle in-house
Advanced planning is needed to prepare for system availability
Prepare carefully for system capacity with especial concern for mainframes
A mechanism for system acceptance is important to have in place
“Precautions are required to prevent and detect … malicious software.”
“…prevention is better than cure”
A formal policy regarding licenses and unauthorized software
** “The organization should consider conducting regular reviews of the software and data content
of systems supporting critical business processes.” 6.3.1d
Data backups should be located at a remote location
The security management of data that may pass organizational boundaries requires special
attention.”
Separate network from computer ops
Electronic media should be protected and physically protected
“The data should not be identifiable from its label.”
“Require a written authorization for all media removed form the organization…”
“Media should be physically locked in sturdy cabinets.”
Dist lists for system docs should be kept to a minimum
Clear procedures for the destruction of media should be established
Electronic messaging should be controlled



Access Control (ISO17799 Section 7)
Access to computer resources should be restricted based on business needs
Access controls should be defined and documented
Concept of “business application owner” ultimately responsible
“Mandatory access control” vs. “Discretionary access control”
Everything generally forbidden unless specifically permitted
Formal procedures should be in place to protect assess rights to sensitive information
Procedure to “register” and “deregister” users
Give users a written statement of their access rights and require users to sign them
Issue temporary passwords which users are required to change immediately
Passwords should be conveyed to users in a secure manner
Connections to network services should be controlled (users should only be able to access
Services which they have specifically been authorized to use)
The path from the users computer to appropriate resources may need to be controlled
Divide large networks into smaller ones using a firewall and router
Access to computer facilities should be controlled
User identification, terminal identification, user authentication, password management
Connection times should be limited
Use of system utilities should be highly controlled
Sensitive computer systems may require isolation from regular computers and networks
Systems should be monitored
Logging and clock sync are important
Mobil computing and tele-commuting create special security concerns


System Development and Maintenance (ISO17799 Section 8)
Security should be built in to computer systems and reflect the value of the asset
The CIA model
Different controls to prevent, detect and recover from major failures or incidents
Audit trails are important
Comply with regulatory requirements
“Input data validation”; “Internal process validation”; “Output data validation”
Encryption should be considered for sensitive and critical data
Authentication, non-repudiation, integrity and confidentiality
Project, development and support environments should be strictly controlled
Change controls
Buy only source code so it can be inspected
Be very careful about Trojans and Covert channels

Business Continuity Planning (ISO17799 Section 9)
Minimizes the disruption causes by natural as well as man made disasters and incidents
BCP should consider the threat and potential of occurrence along with the potential loss
The Plan should minimize downtime
Should be only 1 BCP, written as simply as possible
Test, maintain and reassess the BCP

90314-060524-820274-61

© 2006 All Rights Reserved.

IT Controls:
Which Standard?

NIST800, ISO17799, OCTAVE, ITIL


Executive Summary

Reports of identity theft, exposed social security numbers and compromised credit card make regular headlines, not to mention keeping executives and IT managers awake at night. Businesses are now forced to focus on the problems confronting computer data. Personnel from the CEO down to the Help Desk technicians are bearing responsibility for data breaches.. As business tries to lash up its security posture it casts about for a “Common Denominator”, a definitive set of standards relating to computer security. There is no shortage of contenders for the title because the field of competing security methodologies becomes more crowded every year. However, there still lacks the one universally accepted standard, the Gold Standard of Data Security This paper’s goal is to help the user navigate through some of the choices currently available and to choose the IT Control Methodology that best fits. The figure in Appendix 1 graphically illustrates the Frameworks Quagmire as it relates to the software development industry.


Introduction

The field of Security Methodologies is a fairly new one and prior to the early 1990’s there were only 2 products in this space: NIST and BS7799. Both these standard bearers were created by government agencies, NIST from the National Institute of Standards and Technology in the US and BS from the British Standards Institute in the UK. While NIST has remained a standard in government agencies, and is the basis for yearly Certification and Accreditation reviews, the BSI took steps toward becoming the international business standard. In 2000 the BSI gave the International Standards Organization of Geneva (the ISO) BS7799. In December of that same year, the ISO accepted the standard for information security and renamed it ISO17799 . Even though the ISO standard had the backing of only one G7 country (the UK), it was popular with smaller countries and was “fast-tracked” through the approval process. Reluctant to throw out their own standards, large industrial nations such as Japan, the US and Germany continued using their own set of IT Controls. All the while ISO17799 gained "grass roots" momentum, and continues to do so even today.

As the market now stands there are close to a dozen competing efforts to standardize business's IT practices. Generally these products can be categorized into two groups: Business Frameworks and Risk Methodologies. The borders between the categories continue to blur as Methodologies are re-written to include high level management goals and vice versa. This paper focuses entirely on the former classification, Security Methodologies (also called IT Controls).


Security Methodologies/Best Practices

IT Managers and Directors are charged with making their shops more secure but are faced with a daunting task. In addition to the daily discovery of vulnerabilities, the market is full of competing Security Methodologies. While the names ISO17799, and NIST800 are probably familiar to IT professionals, there are at least a dozen other “security standards” in this space. The names ITIL, ISM³, SS, FIPS, PAS, ISF, OCTAVE, AS/NZS, and GAISP are not so well known, they are nonetheless competing for the same market. And new IT security methodologies appear monthly. However, despite the apparent differences (these products come from such far flung locations as Singapore, the UK, New Zealand and European Union), they all have remarkably similar underpinnings. The standards are based on computer security “best practices” and while implementation of best practices varies from industry to industry, the basic concepts are remarkably similar. So similar in fact that NIST 800-53 includes an appendix which maps their methodology to ISO17799.

For an organization without a formal IT Framework, or for that matter, without even a Risk Methodology, a good starting place would be the NIST guidelines. The major advantage of NIST 800 also happens to be its major drawback. NIST regulations, while mandatory for government agencies, are simply “guidelines” and recommendations for commercial enterprises. There currently exists no manner of certification, authentication or audit for commercial entities. This shortcoming may in and of itself be the deciding factor for organizations looking for certification. ISO17799 and most of the other methodologies offer some type of accreditation or certification. However, on the plus side, NIST publications are easily obtainable, fairly easy to read, updated much more frequently than most others. Perhaps most important, all of the publications are available free. The costs of the publications from other methodologies can easily run into thousands of dollars.

If an organization is looking for a mature commercially available framework, then ISO 17799 is the answer. Any business subject to regulatory compliance, whether US or International, should implement the ISO17799 methodology. Former criticisms of the regulations being too vague or off target were met with a major rewrite of the methodology in June of 2005. The new standards are very precise, giving information managers actual advice to “do this and don’t do that”. These additions brought the standards current and actually make it one of the best documents for A to Z security implementations.

Additional concerns about certification and authentication were also recently addressed in the ISO methodology. Prior to 2005, organizations wishing to become certified had to certify against the BS7799 standard. This caused problems on a number of fronts. However, these problems were resolved with the release of a new standard, ISO27001, which includes provisions for becoming certified. Certification is a concern for businesses in many different industries, both public and private. Multi-national businesses find themselves in a particularly difficult position since there is no one “de facto” international standard, with each different country mandating compliance with their own security regulations. ISO17799 represents a good compromise choice in this area and has the additional advantage that dozens of countries have already accepted it as the national standard. It should be noted that ISO17799 certification is relatively new and that there are only 2509 registered organizations worldwide, with well over half (1516) coming from Japan alone . The remainder of the G8 nations (US, UK, Germany, Italy, France, Russia and Canada) together total only 325, and not all of these countries have adopted the 2005 standard. These numbers show the high level of uncertainty in the security methodology field and also the grass roots nature of the ISO standard. Organizations considering an ISO certification should consider this in their decision.

Of the remaining dozen or so standards, the top candidates for US companies are OCTAVE, ISM3 and perhaps ITIL. These IT methodologies represent “hybrid” standards, meaning that they attempt to specify the “nuts and bolts” approach common in security methodologies while introducing a broader business framework. The ISM3 maturity model, from the Institute for Secure and Open Methodologies (ISECOM) is the newest of the entries. Its current version was released in March of 2006. The very currency of the topics in the methodology may be enticing, especially in regards to current threats (and recommended countermeasures). However, care must be taken to weigh the fact that very few international bodies (and no major corporations) have adopted this security standard.

The Carnegie Mellon Software Engineering Institute (SEI) has produced a work called OCTAVE. The pedigree of this IT methodology comes from the same bloodline which gave us CERT and the CMMI standard for software development. The "OCTAVE Criteria" is a very broad and easy to read document. The current version, Version 2, has been modified by the addition of individual papers relating to specific areas of concern (Malware for example) . But even this most recent document dates from December 2004 and nowhere in it are today's most virulent threats mentioned (rootkits and spyware). With the original version dating from the last century (June 1999) and the latest full version only marginally more recent (December 2001), we question the support that CMU has for the OCTAVE framework.

The last "hybrid" IT methodology is ITIL. This standard hails from the English Office of Government and Commerce (OCG). The British Standard BS15000 was commercialized and the result is ITIL. Originating in the late 1980's this IT methodology dealt with best practices for IT service management. However, in the ensuing decades the standard has been broadened to include: Service Management, Infrastructure Management, Application Management, Security Management, Software Asset Management and Business Perspectives. The ITIL approach is to divide these different domains of IT control into separate standards, complete with separate certificate processes. While ITIL is fairly new on this side of the Atlantic, it is a mature and very well established IT framework in the UK and Europe. Some of the major adopters of the framework include Microsoft, British Airways, IBM, Barclays, Proctor & Gamble and HSBC. of particular interest is the fact that the OCG has just published (January 2006) a book helping smaller organizations adopt the ITIL Best Practice IT Framework.



Summary

There currently exists a bewildering array of computer security methodologies in the market with more appearing all the time. For organizations trying to improve the structure and security of their computer network the choice of a product is very important. While all the Security Methodologies in this report provide an excellent start on the road to "computer security best practices”, no one solution is right for every business. The decision as to which solution to implement can be critical because the future direction of the organization’s IT infrastructure depends on it. Fortunately there is great deal of overlap between all the products in this field and a standard in one is easily transferred into an appropriate category in another.

It has been the purpose of this paper to give the reader a brief primer about the variety of security methodologies that exist and to present in an unbiased way the strengths and weaknesses of some of the most popular.


The next paper in this series deals with a popular implementation of IT Controls, aligning CobiT, ITIL and ISO17799.

Links

NIST: http://csrc.nist.gov/
ISO17799 http://www.iso.org/iso/en/ISOOnline.frontpage
AS/NZS4360 http://www.saiglobal.com/shop/script/search.asp
OCTAVE http://www.sei.cmu.edu/programs/nss/surv-net-mgt.html
ITIL http://www.itil.co.uk/
Frameworks graphic http://www.software.org/quagmire/
17799 in plain English http://praxiom.com/iso-17799-intro.htm
ISO27000 User Group http://www.xisec.com/
ISO27000 Certification http://www.xisec.com/certPortal.htm#CertAuditor




Bibliography

http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1175862,00.html
http://www.csoonline.com/read/030103/lite.html
http://www.lanfaxlabs.com.au/papers/P61-B-P-D-Cairns-final.PDF
http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017chap01.html
http://www.cert.org/octave/approach_intro.pdf
http://72.14.203.104/search?q=cache:GE_bZQ0OF9kJ:www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter06.doc+security+framework+iso+17799+nist+800&hl=en&gl=us&ct=clnk&cd=21&client=firefox-a
http://www.iso27001security.com/html/others.html
http://www.iso-17799.com/
http://72.14.203.104/search?q=cache:ORy7nD_HN20J:www1.netsec.net/content/securitybrief/archive/2004-03_NISTand17799.pdf+nist+800+formal+accreditation+commercial&hl=en&gl=us&ct=clnk&cd=3&client=firefox-a
http://itgovernance.politicalinformation.com/17799.htm
http://www.itil.co.uk/
http://www.itilcommunity.com/
http://www.get-best-practice.co.uk/home.aspx
http://www.get-best-practice.co.uk/securityManagementInformation.aspx
http://www.software.org/quagmire/
http://praxiom.com/iso-17799-intro.htm
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3=
http://www.xisec.com/
http://www.xisec.com/certPortal.htm#CertAuditor

48004-060524-397179-18

© 2006 All Rights Reserved.

Business Frameworks and
Regulatory Standards


“The good thing about standards is that there are so many to choose from.” A. Tanenbaum



Introduction


You breathe a sigh of relief as the audit team finally leaves your facility. Your organization has just gone through a regulatory compliance audit. Regardless of the particular regulation (HIPAA, SOX, GLBA, Basel II, etc) all audits are disruptions to normal business operations. The sheer fact of having a dozen or so strangers walking around the organization alone is enough to distract workers. And then the truly intrusive part begins: the auditors go through page after page of interview questions with your staff; they pore over the financial information; and a team of computer auditors inspect all aspects of the data processing system.

You may be wondering if there is a way to turn this annual regulatory necessity into a positive experience. Can the impact on staff performance and productivity be lessened? Is there a way to prepare your organization so that future audits proceed more smoothly? Is there a way that these audits could give your company a competitive advantage?

The answer to all these questions is: YES. If you are asking these questions you are in very good company. The majority of large corporations are already using regulatory compliance as a motivator to improve business processes within their organizations. The Gartner Group states that fully 70% of Fortune 500 Companies wll have implemented some type of Corporate Program Management (CPM) by the end of this year. Additionally, over 64% of private companies are using SOX guidelines as a catalyst for change even though they are exempt from the regulation . Of the three major benefits that accrue to companies with a strong, ongoing approach to SOX reviews , we will address the last: accelerating revenue growth through streamlined business practices.

Streamlining business processes

Opportunities for change exist in every corner of every enterprise. But the area with the biggest potential for progress is almost always the IT Department. In most mature organizations Information Management grew organically from humble beginnings, perhaps from the adding machines of the accounting department or even from the equipment maintenance department that used to take care of the typewriters. “Its always been done that way” is a common saying in IT departments even though the process being performed may be obsolete or redundant (is there really a need to fill out paperwork in triplicate in the day of email, electronic requisitions and internet connections to vendors?). Not surprisingly, most of the business frameworks deal with the IT Department and attempt to impose order onto a mostly chaotic realm.

Solutions fall into two large and difficult to define categories: Security Methodologies and Business Frameworks. As this paper is being written, there are 3 major business frameworks for IT Governance, 14 Security Methodologies, numerous others with lots and lots of overlap between them all. In the next section we will attempt to provide an overview of the major players in this field and some of the strengths and weaknesses of each.


Business Frameworks

Executives can easily find themselves confused by the myriad of products that bill themselves as “Security Frameworks”. What we will attempt to do is distill the essence of the most popular solutions into an easy to understand comparison. And to start the process let us define our terms. Regardless of the verbage used in their own product literature we will endeavor to provide a common language to all the products (ISO27001 defines itself as a framework that: “specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks” ). In plain English we have defined the field into 2 large overlapping categories: Security Methodologies and Business Frameworks.

Business Frameworks is the smallest field as far as number of qualifying products, but also the most “nebulous”. By their very nature, they attempt to be all things to all users. Business Frameworks attempt to provide a general, overarching structure to an entire organization, including business processes, risk management as well as provide IT governance and controls. If we use the analogy of building a skyscraper as an example, then Business Frameworks are the steel skeleton. All the weight of the building will be carried on the infrastructure: the floors, walls, windows, and of course tenants. While all buildings have certain traits in common, there also exist a large number of differences. A building that is suitable for a hospital would not be appropriate for a high rise office structure. And here you begin to see the inherent problem with these overarching frameworks, it is a daunting task to design a “one size fits all” approach to business processes. Of course the best frameworks have methods to “customize” their solutions, and of these the most commonly adopted is CobiT.

CobiT is currently the market leader in the US primarily because of the Sarbanes-Oxley Act. When the law passed in 2002, publicly traded companies scrambled to put into place the business frameworks that they had nebegan to search for a framework that organized IT. CobiT was the choice that most decided upon. Subsequently, auditors and increasing numbers of Executives are befriending CobiT. The strength of the standard is its very general framework which gives organizations a certain flexibility in implementation. CobiT also happens to be the standard that most SOX auditors are familiar with, and this factor alone may be enough for a business to choose CobiT.

There does exist a large and formidable competitor to CobiT however. The Information Security Foundation (ISF) claims that it “is the world's leading independent authority on information security” and that “50% of Fortune 100 companies” utilize their framework. While the CobiT standard is a “maturity model”, ISF instead focuses on “best practices” . ISF members have invested $75 million dollars over 16 years to develop this standard to the point where it is today. They have additionally adopted and used the better parts of other standards, including ISO17799 and CobiT. And with the weight of multi-national corporations such as Alcatel, BASF, Boeing, British Airways, ING, KPMG, Proctor & Gamble, Verizon, Volvo, (and many others) this standard may gain traction among smaller companies.

Of course, there exist many other standards out there, ranging from very specific IT security practices to overarching enterprise frameworks. Certain specific industries have already more-or-less settled upon a standard: software development companies have CMMI; financial institutions have FFIEC; manufacturers have ISO9000; US government entities have the very extensive NIST standards; computer service entities use ITIL; and on and on. There are also a few other general Business Framework models that we include for the sake of completeness.

OCTAVE is a new standard from the Software Engineering Institute (SEI) of Carnegie Mellon. The same folks that created CMMI and CERT have launched a new Business Methodology based on Best Practices. The standard is brand new, which means cuts both ways. On the plus side is the fact that OCTAVE takes into consideration factors that weren’t even on the horizon 2 years ago when the last revisions of the other standards were written. However, with the number of standards increasily almost daily, organiozations may be hesitant to adopt a standard that may not be supported in a few years.

And of course the elephant in the room that we have ignored until now is COSO. The grand-daddy of Business Frameworks is COSO (also sometimes referred to as the “Treadway Committee”). The organization was founded in 1985 in response to problems of fraudulent financial reporting at public corporations. Although COSO predates Sarbanes-Oxley legislation by at least a decade, it wasn’t until the legislation’s full adoption that COSO gained its current stature. Before SOX became law, accounting compliance had been loosely governed by GAAP and a company's auditors had final approval. Enron, Worldcom and Global Crossing were the result of these voluntary standards. IT compliance and auditing did not exist. COSO provides an all encompassing enterprise wide framework that reaches into all departments and divisions of an organization. And even though there exists a good deal of overlap in standards and policies, CobiT fits nicely within the overarching COSO framework.


SUMMARY

In order to assist you in your choice of a Business Framework, we have provided these thumbnail outlines of the three major competitors in this field: CobiT, COSO and ISF.

CobiT

Pros: Cons:

Good alignment with business processes Costly: One survey found that
adoption costs can run to 17%
of total IT budget
A view, understandable to management
of what IT does Framework requires additional
security controls to “plug in”
Clear ownership and responsibilities
of processes based on “ownership” Framework difficult to read

Commonly accepted and recognized among Dates between releases can be
third parties, regulators and auditors very long: 5 years between
CobiT 3.0 and CobiT 4.0
Fulfillment of COSO requirements for the
IT control environment (34 IT Processes) Framework must be “adapted”
to each individual organization
Shared understanding among all stakeholders
based upon a common set of terms



COSO

Pros: Cons:

Very mature product, originally Current version over 2 years
founded in 1985 old: released in Sept 2004

Broadest and most “all encompassing” “All encompassing” requires
standard; includes all enterprise depts.. much “customizing”

Industry recognized and accepted Very expensive and time
enterprise risk management consuming to implement

The only product in this space (perhaps Membership is costly and the
Six Sigma could be considered a rival) amount of free documentation
Is very limited



ISF

Pros: Cons:

Very thorough standard Aimed at VERY large
organizations

Easy to read, understand and implement Membership in ISF is very
limited and for organizations
Backed by 50% of the Fortune 100 only (no individuals allowed)

Latest release is the newest of any Lacks “traction” with smaller
of those reviewed here (Jan 2005) non-global organizations

Framework is provided FREE Is not as commonly accepted
among auditors as CobiT
Has over $75 million dollars and
16 years of time invested into making Has no method of certification
the standard the best it can be


Which business process model you decide on ultimately depends on your individual organization, regulatory compliance factors (if any) and a host of other factors. The good news about this process is that all three of the Business Frameworks in this paper have a lot of overlap (best practices are after all, best practices). And after your organization fully implements a Framework, along with the necessary IT controls, you will be able to turn the regulatory compliance process into a business advantage.


For guidance on choosing an IT Control Framework, see the next paper in this series, entitled "IT Controls: Which Standard?"

59238-060524-509514-29


© 2006 All Rights Reserved.

ISO 17799 compared to COBIT

Your organization has gone through a Sarbanes-Oxley audit and survived. As a C-Level executive you may be thinking how to turn this yearly regulatory necessity into a positive experience. You may even be thinking how you can turn these audits to your company’s advantage. If you are thinking like this you are in good company. The majority of Fortune 500 Companies are already using regulatory compliance as a motivator to improve the business processes within their organizations. Additionally, over 64% of private companies are using SOX as a catalyst for change even though they are exempt from the regulation[1].

The opportunities for change range from merely implementing better accounting methodologies to a complete reworking of an organization’s business process. The focus of this paper is to help those organizations that are interested in getting their IT departments compliant with one of the major international standards: ITIL, ISO 17799 and COBIT.

While ITIL is the most widely used model for best IT practices[2], COBIT has proven to be the most popular framework here in the US. The similarities between the models are very high and indeed there is work between the organizations to align their standards even more closely[3]. Which standard should you choose for your business? We will try and help you decide between the standards as well as provide you with a comparison (where appropriate) of the differences. It should be noted that while COBIT and ITIL provide an infrastructure (a view from 30,000 feet as it were) ISO17799 provides actual implementation advice (the view from “where the rubber meets the road”). As such, there are many instances where the ISO17799 procedures fit nicely into the Business Controls Model of either ITIL or COBIT. When the ISO practices cannot fit well into one of the frameworks, a note is attached explaining the discrepancy.

---

[1] http://www.cfo.com/printable/article.cfm/4102770?f=options

[2] http://www.ogc.gov.uk/index.asp?id=1000368&syncNav=1#11

[3]http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=22493&TEMPLATE=/ContentManagement/ContentDisplay.cfm

44510-060505-362236-15
© 2006 All Rights Reserved.

Security Compliance:
Which Standard?

NIST800, ISO17799, AS/NZS4360, OCTAVE, ITIL, etc


Executive Summary

Reports of identity theft, exposed social security numbers and compromised credit card make regular headlines. It seems that almost every week a laptop somewhere that contains sensitive data for thousands of people goes missing. Businesses are now forced to focus on the problems confronting computer data. Personnel from the CEO down to the Help Desk technicians are bearing responsibility for data breaches.. As business tries to lash up its security posture it casts about for a “Common Denominator”, a definitive set of standards relating to computer security. There is no shortage of contenders for the title because the field of competing security methodologies becomes more crowded every year. However, there still lacks the one universally accepted standard, the Gold Standard of Data Security This paper’s goal is to help the user navigate through some of the choices currently available and to choose the methodology that best suits a particular business's needs.


Introduction

The field of Security Methodologies is a fairly new one and prior to the early 1990’s there were only 2 products in this space: NIST and BS7799. Both these standard bearers were created by government agencies, NIST from the National Institute of Standards and Technology in the US and BS from the British Standards Institute in the UK. While NIST had remained mostly a standard in government agencies, and is the basis for yearly Certification and Accreditation reviews, the BS standard took steps toward becoming the accepted international standard. In 2000 the BSI gave the International Standards Organization of Geneva (the ISO) BS7799. In December of that same year, the ISO accepted the standard for information security and renamed it ISO17799. Even though the ISO standard had the backing of only one G7 country, was popular with many smaller countries and was “fast-tracked” through the approval process. Reluctant to throw out their own standards, large industrial nations such as Japan, the US and Germany continued using their own set of rules. All the while ISO17799 gained "grass roots" momentum, and continues to do so even today.

As the market now stands there are close to a dozen competing efforts to standardize business practices. Generally these products can be categorized into two groups: Business Frameworks and Risk Methodologies. The borders between the categories continue to blur as Methodologies are re-written to include high level management goals and vice versa. This paper focuses entirely on the former classification, Security Methodologies (also called Best Practices).


Security Methodologies/Best Practices

IT Managers and Directors are charged with making their shops more secure but are faced with a daunting task. In addition to the daily discovery of vulnerabilities, the market is full of competing Best Practice products. While the names ISO17799, and NIST800 are probably familiar to IT professionals, there are at least a dozen other “security standards” in this space. While the names ITIL, ISM³, SS, FIPS, PAS, ISF, OCTAVE, AS/NZS, and GAISP are not so well known, they are nonetheless competing for the same market. The names alone are enough to strike fear into the heart of even the most intrepid IT professional. However, despite some apparent differences (these products come from such far flung locations as Singapore, the UK, New Zealand and European Union), they all have remarkably similar underpinnings. The standards are based on computer security “best practices” and while implementation of best practices varies from industry to industry, the basic concepts are remarkably similar. So similar in fact that NIST 800-53 includes an appendix which maps their methodology to ISO17799.

For an organization without a formal IT Framework, or for that matter, without even a Risk Methodology, a good starting place would be the NIST guidelines. The major advantage of NIST 800 also happens to be its major drawback. NIST regulations are mandatory for government agencies but they are simply “guidelines” and recommendations for commercial enterprises. There currently exists no manner of certification, authentication or audit for other than governmental bodies. This shortcoming may in and of itself be the deciding factor for organizations looking for certification. ISO17799 and most of the other methodologies offer some type of accreditation or certification. However, on the plus side, NIST publications are easily obtainable, fairly easy to read, updated more frequently than most others, and perhaps most importantly, available for free. The costs for the publications from the other methodologies can easily run into thousands of dollars.

If an organization is looking for a slightly more robust option, then ISO 17799 is the answer. Any businesses subject to regulatory compliance, whether US based or International, should implement the ISO17799 methodology. Former criticisms of the regulations being too vague or off target were met with a major rewrite of the methodology in June of 2005. The new standards are very precise, giving information managers actual advice to “do this and don’t do that”. These additions brought the standards current and actually make it one of the best documents for A to Z security implementations.

Additional concerns about certification and authentication were also recently addressed in the ISO methodology. Prior to 2005, organizations wishing to become certified had to certify against the BS7799 standard. This caused problems on a number of fronts. However, these problems were resolved with the release of a new standard, ISO27001, which includes provisions for becoming certified. Certification is a concern for businesses in many different industries, both public and private. International businesses find themselves in a particularly difficult position since there is no one “de facto” standard, with almost each different country mandating compliance with its own security regulations. ISO17799 represents a good compromise choice in this area and has the additional advantage that dozens of countries have already accepted this standard. It should be noted that ISO17799 certification is relatively new and that there are only 2509 registered organizations worldwide, with well over half (1516) coming from Japan alone. The remainder of the G8 nations (US, UK, Germany, Italy, France, Russia and Canada) together total only 325, and not all of these countries have adopted the 2005 standard. These numbers show the high level of uncertainty in the security methodology field and also the grass roots nature of the ISO standard. Organizations considering an ISO certification should consider this in their decision.

Businesses with a more mature IT infrastructure may be better served by one of the “hybrid” standards. These standards attempt to specify the “nuts and bolts” approach common in the security methodologies while introducing a broader business framework. Examples in this category include the Australian and New Zealand Standards (AS/NZS 4360), work from the Carnegie Mellon Software Engineering Institute (OCTAVE), and standards from the English Office of Government and Commerce (ITIL). OCTAVE represents the newest information standard while ITIL claims to have “the most widely accepted approach to IT service management in the world”. Each of these hybrid solutions has strengths and weaknesses and the unique needs of the individual business should drive the decision which to choose.

Organizations at the top end of IT department organization should consider aligning their business to one of the frameworks that exist. While examination of these Business frameworks is beyond the scope of this paper, any organization that standardizes on COBIT, Common Criteria, COSO, etc will be well served by the process that results.



Summary

There currently exist a bewildering array of computer security methodologies in the market with more appearing all the time. For organizations trying to improve the structure and security of their computer network the choice of a product is very important. While all the Security Methodologies in this report provide an excellent start on the road to ‘computer security best practices”, no one solution is right for every business. The decision as to which solution to implement can be critical because the future direction of the organization’s IT infrastructure depends on it. It has been the purpose of this paper to give the reader a brief primer about the variety of security methodologies that exist and to present in an unbiased way the strengths and weaknesses of each.

Links

NIST: http://csrc.nist.gov/
ISO17799 http://www.iso.org/iso/en/ISOOnline.frontpage
AS/NZS4360 http://www.saiglobal.com/shop/script/search.asp
OCTAVE http://www.sei.cmu.edu/programs/nss/surv-net-mgt.html
ITIL http://www.itil.co.uk/
Frameworks graphic http://www.software.org/quagmire/
17799 in plain English http://praxiom.com/iso-17799-intro.htm
ISO27000 User Group http://www.xisec.com/
ISO27000 Certification http://www.xisec.com/certPortal.htm#CertAuditor




Bibliography

http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1175862,00.html
http://www.csoonline.com/read/030103/lite.html
http://www.lanfaxlabs.com.au/papers/P61-B-P-D-Cairns-final.PDF
http://www.sei.cmu.edu/publications/documents/99.reports/99tr017/99tr017chap01.html
http://www.cert.org/octave/approach_intro.pdf
http://72.14.203.104/search?q=cache:GE_bZQ0OF9kJ:www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter06.doc+security+framework+iso+17799+nist+800&hl=en&gl=us&ct=clnk&cd=21&client=firefox-a
http://www.iso27001security.com/html/others.html
http://www.iso-17799.com/
http://72.14.203.104/search?q=cache:ORy7nD_HN20J:www1.netsec.net/content/securitybrief/archive/2004-03_NISTand17799.pdf+nist+800+formal+accreditation+commercial&hl=en&gl=us&ct=clnk&cd=3&client=firefox-a
http://itgovernance.politicalinformation.com/17799.htm
http://www.itil.co.uk/
http://www.itilcommunity.com/
http://www.get-best-practice.co.uk/home.aspx
http://www.get-best-practice.co.uk/securityManagementInformation.aspx
http://www.software.org/quagmire/
http://praxiom.com/iso-17799-intro.htm
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3=
http://www.xisec.com/
http://www.xisec.com/certPortal.htm#CertAuditor

61133-060505-528465-31

© 2006 All Rights Reserved.