This post is written
in English in purpose. I wish to share the experience I gained in over 30 years
of dealing with this subject with as much audience as possible. For this
purpose, the English language is better than Hebrew. (The Hebrew version was posted some hours ago).
1. Definitions +
Interpretations:
1.1. Information Technology Security /
Cyber Security(Hereafter: ITS/CS)
1.1.1. The overall means planned and implemented
in the physical, computational (some call it logical as opposed to physical),
procedural and human fields of
activities, to achieve and preserve Confidentiality, Integrity, Availability
and Survivability for Information, Information Technology systems, and other technological systems.
1.2. Knowledge Base
1.2.1. A
collection of documents.
1.2.2. Includes all the knowledge needed to perform
all the ITS/CS activities. (you may call it the "Bible of ITS/CS). See
more on "knowledge base" in chapter 3 of this document.
1.3. Policy
1.3.1. A written document.
1.3.2. Signed by top management/board of
directors of an organization.
1.3.3. Demonstrates and clarifies their position
on a specific topic.
1.3.4. Includes the guiding principles on that
topic for the organization, while at the same time expresses their (of the
signing body) own obligation to the policy.
1.3.5. The content depends on several variables.
1.3.6. Responsibility for
writing the document:
1.3.6.1. ITS/(CS) Director/Manager. But is there
such a manager in the organization? Commonly NOT. So the one who is responsible
will be the Chief Information Security Officer (CISO or as he is commonly
referred to as the "Information Security manager") who will have a
double role:
A. Writing the different chapters of the
document:
1. Writing his part. (What is it? Look at
his role description and you'll quickly find out. In Israel, in the Finance
sector for example his responsibility is generally confined to preserving the
"C" – Confidentiality part of the triangle C-I-A).
2. See to it that every manager in the
organization having responsibility for part/parts of the ITS/CS writes his part.
B. Integrating all the chapters to ONE INTEGRATED
DOCUMENT bearing the title: "The {organization name} ITS/CS POLICY.
Why is it his task? Because he is the
secretary of the ITS/CS steering committee and why is he? Because more than
half of the ITS/CS tasks are concentrated around him or directly/indirectly guided
or performed by him.
If there is ONE person to name, he is the
one.
1.4. Procedure
1.4.1. A written document.
1.4.2. Contains clear guidance how to perform a
specific task mentioned in a policy.
1.4.3. Is directed towards an identified
specific audience. To make it clear, a procedure IS NOT a full description of a
task performed by many units in the organization, this would be the workflow
document for that task not the procedure document.
1.4.4. Responsibility for
writing the document
1.4.4.1. The organizational department that owns
the task.
1.4.4.2. Some organizations designated an
organizational department with the task of writing all the procedures for the
organization. In this case, the department that owns the task is responsible to
deliver the content of the procedure the department responsible to write the
procedures. This department will perform the technical writing of the procedure
by following the standards of the organization BUT preserve the original
ownership of the department that owns the task.
1.5. Work Order
1.5.1. A written document.
1.5.2. Contains detailed instructions (sometimes
highly technical/step-by-step) how to perform a specific task.
1.5.3. Responsibility for
writing the document: the
unit responsible to perform the task.
1.6. Steering Committee
for ITS/CS
1.6.1. A group of top managers appointed by the
CEO or one of his deputies to oversee/navigate/control the entire ITS/CS
activities in the organization.
1.6.2. Usually, the members of the steering
committee represent the different organizational units responsible for the
different parts of the ITS/CS. (e.g.: IT, Physical security, procurement,
manpower, legal, business units and so on).
1.6.3. The chairperson of the committee will be
the CEO or one of the top managers.
1.6.4. The secretary of the committee should be
the manager responsible for ITS/CS. When such a manager does not exist in the
organization (generally this is the case), the Information Security manager
(CISO) should be appointed as the secretary.
1.6.5. Meeting periodically (2-6 times a year).
Optionally, the chairperson has the authority to summon additional meeting if
necessary.
1.6.6. The committee's authority includes (inter
alia) inviting to its sessions other representatives from the organization or
outside the organization as relevant to the subject under discussion.
2. Responsibilities for
ITS/CS
2.1. Following the definitions above, it seems
NO ONE MANAGER in an organization has the ability to act as the solely
responsible manager for the overall ITS/CS activities in an
organization.
2.2. Some examples to clarify the somewhat overwhelming
above statement:
2.2.1. Manpower department is responsible for managing the
lifecycle of the manpower in the organization. Part of this responsibility
might be the performance of screening the candidates. One of the screening
parameters should be integrity/reliability of the candidate. So it might be
that the manpower department should get some input from the Information
Security manager or the physical security manager or from both of them what to
look for during the integrity/reliability screening process. Take
for example the case of a candidate for the role of a Information Technology System
Administrator. Isn't this a highly sensitive role that requires a thorough
background checks and a variety of reliability tests before deciding to hire
him/her? The same goes for sensitive roles in various business departments.
Take the role of the treasurer for example. What about temporarily freezing of permissions
for employees taking a long vacation or deleting the permissions totally when
terminating the job for good? All those activities start at the manpower
department as they are responsible for the manpower lifecycle in the
organization. They are also responsible to define (together with the business
units) what roles exist in the organization. These roles are the foundations
for permissions in the organization. And what about disciplinary actions that
should be planned, made public to the employees and activated against employees
violating ITS/CS policy/procedures/work orders? This too falls under the
umbrella of the manpower department responsibilities.
2.2.2. Procurement
department handles all the
procurement in the organization. Some of it may be Information Technology, or
any procurement process that its result may be a change in the current ITS/CS
level. For example: buying new smartphones for top management that will contain
organizational information of some sort.
2.2.3. Physical security department is responsible for securing people,
property and information by handling the physical side of the security process.
One example might be means to secure laptops while being moved outside the
organizational premises. Physical security in that case might cover guidelines
for how to carry the laptop, how to handle it in the private car, in public
transportation, in the airport, during fight and so on. To complete the picture
in this one simple example, the Information Security department will cover how
to protect the data stored in the laptop (by encryption for example).
2.2.4. Business units are the reason why an organization exists
at all. A business unit is responsible for one or more organizational
processes. The meaning of this responsibility should be accountability for all
the aspects of the process. One of them should be managing the risks
accompanied with the process. Those risks may include breach of confidential
data, unreliable or incomplete data that is part of the process and therefor
having to repeat the process (if the process is repeatable at all), inability
to perform the process at the agreed upon SLA (Service Level Agreement). As
organizations are grouped in sectors (Health, Finance, Education etc.) and
therefore differ in business units I shall try to give an example that fits
almost all of the organizations. The example will be the marketing department.
This department is responsible for the marketing process. Today, an Internet
site of an organization is a common marketing tool. Now what about the risks?
It's marketing information open to all. Who bothers? Nothing confidential
there. Correct. BUT what about the INTEGRITY/COMPLETENESS of the information
showed to the public? Oh yeh. This is important. And what about the AVAILABILITY
of the Internet site? Oh Yeh, this is important too. Have heard about
Defacement? DDOS (Distributed Denial Of Service) attacks? OPISRAEL and others? No
marketing manager likes the phone call from his CEO telling him the Internet
site has been corrupted (defaced) by some hackers and therefore must be taken
offline. Having the right measures in place against the RELEVANT threats/risks for a process, is a result of performing risk
management for that process. This risk management is the responsibility of the
PROCESS OWNER.
As more and more
organizational processes become technological dependent, the owners must have
the ability to take the responsibility of managing also the technological
threats/risks accompanied with the process they are responsible of.
2.3. As mentioned, the above are examples for
the huge organizational task to achieve and sustain ITS/CS. I hope that at this
point it is already clear that this task is an organizational task
overseen/navigated/controlled by the ITS/CS steering committee, with more than
one department having different responsibilities in this task. The
responsibilities correspond/relate to those departments' natural
responsibilities in the organization.
2.4. Let us assume that the abovementioned
conclusion is the reality. The question now to be answered is what are the
building blocks? How will everyone in the organizational puzzle know what to
do? The answer lies in the methodology of writing and publishing the
organizational formal documents of POLICY, PROCEDURES and WORKING ORDERS. This
is the next Chapter in the document.
3. Conveying the ITS/CS
knowledge in an organization
3.1. The name of the chapter – an explanation
3.1.1. Why is the name of the chapter "conveying
the knowledge…" and not "writing the documents"?
3.1.2. The answer is that before writing how the
organization should act upon ITS/CS, the organization has to adopt the
knowledge base for ITS/CS.
3.1.3. This knowledge base can be one of the
following:
3.1.3.1. A knowledge base
prepared by a competent authority for that purpose and for this organization. In this case, it is
common that the organization MUST adopt this knowledge base as this could be part of a national law. In this case arises
another question to answer: how complete is this forced knowledge base
vis-à-vis the organizational task of ITS/CS? From my experience, it is
generally incomplete. If so, it remains an organizational task to extend/complete
the knowledge base at least to an acceptable degree for the organization.
3.1.3.2. A widely accepted knowledge
base such as an International Standard or a
group of internationally accepted standards prepared by an authorized standards
institute or institutes. An example can be the ISO 27002 for organizations with
common/conventional IT systems or in another example the combination of ISO
27002, ISO 27799 and a knowledge base for ITS/CS specified for medical devices
for a Health Delivery Organization.
3.1.3.3. A knowledge base
prepared specifically for the organization by outside or inside professionals.
3.1.3.4. Any combination of the above.
3.1.4. In any case, and whatsoever knowledge
base the organization chooses to adopt or is forced to adopt, the starting
point is a knowledge base. NOT writing a POLICY.
3.2. Following, the details about the
documents. Trying not to repeat what I already wrote in the 1st
chapter (Definitions + Interpretations).
3.3. ITS/CS policy
3.3.1. Should cover in "policy statements"
all the aspects of ITS/CS the organizations thinks it must include. Keep in
mind that formally, omitting something from the policy document prohibits
writing a procedure for it. Lack of a procedure may cause that something that
should have been performed might be neglected.
3.3.2. Should be a double purpose document:
A. For inner (organizational) use: Serves as
the base for all the ITS/CS activities in the organization.
B. For outside use: should serve as the base
for testing if the organization can possibly achieve ITS/CS.
3.3.3. When Writing a policy, four major
elements have to be counted for:
1. The knowledge base for ITS/CS adopted by
the organization.
2. The independence of the organization
(e.g. if there exist/doesn't exist any legal or other binding restrictions) in
addition to the knowledge base.
3. What would be considered absolutely
required to be included?
4. What are the unique requirements (e.g.
the "finger prints" of this specific organization) to be included. In
other words, what are the real differences between this organizations' policy
from others in the same sector.
3.3.4. A
typical ITS/CS policy document should contain the following paragraphs:
3.3.4.1. 1st
Chapter: Definitions,
3.3.4.2. 2nd
Chapter: General
description of the organization including its main area of business &
IT/Cyber components,
3.3.4.3. 3rd
Chapter: The objectives
of the POLICY document (it differs from the objectives of implementing
the policy document),
3.3.4.4. 4th
Chapter: Main threats
& risks to Information, Information Technology systems and other
Technological systems in the organization (why ITS/CS is needed),
3.3.4.5. 5th
Chapter: Managing the
risks of using Information, Information Technology systems and other
Technological systems in the organization (ITS/CS knowledge base highlights – mainly
a very short explanation what is ITS/CS?),
3.3.4.6. 6th
Chapter: The objectives
of implementing this policy,
3.3.4.7. 7th
Chapter: Applicability.
To whom the policy is applicable.
3.3.4.8. 8th
Chapter: ITS/CS Authorities
& Responsibilities in the organization (e.g. CISO, steering committee,
responsibilities of various departments in the organization in achieving ITS/CS
posture),
3.3.4.9. 9th
Chapter: Organizational specific
highlights – principles for implementing ITS/CS in the organization. For example:
1. Information classification,
2. Personal responsibility for ITS/CS,
3. Handling the human factor (inner &
outside),
4. Identification & Authentication to
the IT systems/other technological systems,
5. Separation of duties &
compartmentalization,
6. Remote access to information, Information
technology systems and other technologies owned/operated by the organization,
7. Security (Physical, computational,
procedural and human) requirements imposed on outside elements (Outsourcing,
suppliers, vendors, etc.)
8. Integrating security requirements during
the processes of: procurement, development, change & upgrades of systems,
9. Auditing,
10. Technical controls,
11. Physical security controls (ITS/CS starts
with physical security),
12. Safety measures in the main computing
plant,
13. Business Continuity Planning
3.3.4.10. 10th
Chapter: Deviation from
the policy document
3.3.4.11. 11th
Chapter: Updating the
policy document
3.4. Procedures
3.4.1. The name of the chapter – an explanation
3.4.1.1. Why is the name of the chapter "Procedures"
and not "ITS/CS procedures"?
3.4.1.2. The answer is the heart of the matter I
wish to clarify. As defined in the 1st chapter, a procedure is
written by the owner of the process. As explained before, only part of the
ITS/CS activities can hold the title an "ITS/CS process". An example
can be planning and managing ITS/CS surveys and penetration tests. Many other
activities that contribute to achieve ITS/CS goals are performed or better said
should be integrated into processes performed by a variety of departments in
the organization. Procedures that are written by different organizational
departments, describing their activities while integrating their ITS/CS
requirements, are NOT ITS/CS procedures. They are procedures written and
performed by those departments according to their roles in the organization.
And what about ITS/CS? This will be explained in this chapter.
3.4.1.3. From here on I make no difference between
a procedure and a working order. It is left to the reader or the implementer to
make the distinction when it is needed to have both (meaning having a procedure
and a working order having the same title) and when one of them will be enough.
3.4.1.4. I'll have a separate chapter explaining
the unique situation when an organization or a department is ISO 9001
certified.
3.4.2. ITS/CS procedures
3.4.2.1. Identify the real activities that can be
labeled "ITS/CS processes". I already gave the example of ITS/CS
surveys and penetration testing. Another example can be planning the annual
work plan of ITS/CS, and so on.
3.4.2.2. For each Identified ITS/CS activity, a
procedure should be written.
3.4.2.3. Who does it? As I mentioned before,
generally this is the CISO. He is the one person in the organization that his
job description is centered around ITS/CS activities. BUT he is not the only
one in the organization to have ITS/CS duties to fulfill. What about the
others? The CISO is a central figure in their ability to know what to do, BUT
he is NOT the owner of their processes and therefore is NOT writing their
procedures NOR is he writing procedures for them or instead of them. What he
does do is to guide them. About ITS/CS guidance in the next sub chapter.
3.4.2.4. How to write a Procedure? Doesn't have to
be an ITS/CS procedure. The following guidance is relevant for all kinds of
procedures.
1. Write all procedures in the organization
using ONE format. The content must vary of course, but the structure (the
chapters' names) should be identical throughout the organization. That's the
best way to ensure simplicity in writing, reading, understanding and
implementing. As the saying goes: Keep It Simple.
2. An example for an organizational format for
procedure's chapters structure & content implementing the above advice:
A. 1st
Chapter: GENERAL –
explains the reason/s what is the need to write this procedure.
B. 2nd
Chapter – OBJECTIVE/S
– What is the objective or what are the objectives to achieve in the activity
or activities described in the procedure.
C. 3rd
Chapter – DEFINITIONS
– defining terms needed for understanding the procedure. (Optional. The meaning
is that the 3rd Chapter will always be DEFINITIONS, but if there are
terms to define, next to the chapter's heading the word ":NONE" will
appear).
D. 4th
Chapter – RESPONSIBILITY
– who is responsible for writing/updating the procedure.
E. 5th
Chapter - APPLICABILITY
– to whom in the organization the procedure applies.
F. 6th
Chapter - METHOD –
this is the main body of the procedure. This chapter describes as clearly as
possible the activity/activities that have be done by those that are mentioned
in the 5th chapter. (see above).
G. 7th
Chapter – Annexes:
forms, guidance and other documents that the procedure's writer thinks are of
relevance to this procedure.
3.4.3. ITS/CS guidelines/requirements
3.4.3.1. An assumption: The CISO is the key figure
in the ITS/CS activities in the organization. What does this mean?
The practical
meaning is that he has to write guidelines to other departments in the
organization. I use the word: "guidelines", because I think this is
the right word, BUT those guidelines are actually ITS/CS requirements.
What is the content
of those guidelines? What is their purpose?
3.4.3.2. ITS/CS guidelines – content:
A. An extraction from the knowledge base.
B. For each department, the relevant
information should be extracted.
3.4.3.3. ITS/CS guidelines – purpose:
A. Each department according to its natural
role in the organization should integrate their ITS/CS guidelines into its
procedures.
3.4.3.4. ITS/CS guidelines – results (overall):
A. Procedures/working orders for all the
departments include the ITS/CS guidelines extracted from the adopted
organizational knowledge base.
B. ITS/CS activities are integrated into the
processes of all the departments in the organization.
3.4.3.5. There might be left some special
guidelines that are directed towards the entire organization. If it is possible
I suggest/prefer to integrate those guidelines whenever possible in other
departments guidelines and NOT leave them as ITS/CS singular/special
guidelines. The best example would be ITS/CS guidelines for the IT end users. ITS/CS
guidelines for end users should be integrated into the overall guidelines to
the employees that are published by the man power department. This is the
"main rout" the organization chooses to convey to the employees their
rights and duties. Why not use it to convey their ITS/CS duties? They are
different from other duties? Well NOT. This is my message, they are just part
of being employed by the organization, not more but NOT LESS.
3.4.3.6. Enforcement the implementation of ITS/CS
guidelines throughout the organizational departments:
A. Why should any department integrate those
guidelines? Who the hell is the CISO to guide all the organization? From where
does the CISO draw his authority to guide?
B. Two simple answers:
1. From the ITS/CS POLICY document. The
policy document should include the CISO's authority to guide the organization.
2. The ITS/CS steering committee.
C. It is recommended that the yearly audit
plan of the internal auditor of the organization, should permanently include
auditing the integration & implementation of ITS/CS guidelines as performed
by a sample of organizational units.
D. If any department is ISO 9001 certified
(Quality management), then the ITS/CS processes enforcement might be easier as
there should be in place inherent processes such as the Internal Quality
Audits, Management reviews, corrective actions and more. The
interrelation/interaction of ITS/CS and Quality Management as followed after
the ISO 9001 family of standards deserve a broader treatment than just a
marginal reference as above. It will done later on.
4. Two examples:
4.1. The topic: HARDENING
OF IT COMPONENTS
4.1.1. Professional
Knowledge Base
4.1.1.1. Hardening documents.
4.1.2. POLICY
4.1.2.1. In the organization's ITS/CS policy appears
something like that:
"… IT/Cyber components (like
Operating systems, Data bases, Communication components, Infrastructure S/W)
that serve in the production environment will be hardened using hardening
documents supplied and certified by the CISO"
4.1.3. PROCEDURES/WORKING
ORDERS
4.1.3.1. For the CISO. The procedure/working order includes
the following steps:
1. Find out what IT components are used in
the Organization and establish a procedure to be notified before any changes
are taking place,
2. Prepare the correct hardening documents,
3. Set a working procedure with the IT
manager responsible for the hardening operations in the IT department.
4. Deliver the Hardening documents
periodically.
5. Get notice that the hardening document
arrived and Time table set for start/finish the process of hardening.
6. Get notice the hardening process ended.
7. Check the IT component that was hardened if
the result of the hardening process meets the requirements and act upon the
audit results.
4.1.3.2. For the IT Manager
responsible for performing the hardening process:
1.
He should write a corresponding procedure/working
order that describes his "chain of operations" when he receives a new
or updated "hardening document".
4.2.
The topic: SECURE DEVELOPMENT REQUIRMENT
4.2.1. Professional
Knowledge Base
4.2.1.1. The "secure coding practice
document" certified by the CISO.
4.2.2. POLICY
4.2.2.1. In the organization's Information
Security policy appears something like that:
"… In any contract with a vendor or
bid a section of ITS/CS will be included. Implementing ITS/CS requirements is a
condition for establishing the engagement"
4.2.3. PROCEDURES/WORKING
ORDERS
4.2.3.1. For the CISO. The procedure/working order includes
(inter alia) the following:
1.
When writing code is part of the procurement /
bid process than one of the requirement is "using practice of secure
coding certified by the CISO"…
Or
"Those taking part in designing and
writing code have a formal training in secure coding practice certified by the
CISO"
4.2.3.2. For the Procurement
manager responsible for the procurement process:
1.
In his procurement procedure/working order the
CISO's requirements/guidance should be integrated.
2.
The contract signed by the vendor should
include the relevant secrecy and ITS/CS requirements certified by the
organization.
רשומות
