יום שני, 27 במאי 2013

Information Technology Security (ITS)/Cyber Security (CS) – Responsibilities, Knowledge Base, Policy, Procedures and Working Orders – A broad interpretation


This post is written in English in purpose. I wish to share the experience I gained in over 30 years of dealing with this subject with as much audience as possible. For this purpose, the English language is better than Hebrew. (The Hebrew version was posted some hours ago).

1.    Definitions + Interpretations:

1.1.      Information Technology Security / Cyber Security(Hereafter: ITS/CS)

1.1.1.     The overall means planned and implemented in the physical, computational (some call it logical as opposed to physical), procedural and  human fields of activities, to achieve and preserve Confidentiality, Integrity, Availability and Survivability for Information, Information Technology systems, and  other technological systems.

1.2.      Knowledge Base

1.2.1.       A collection of documents.

1.2.2.      Includes all the knowledge needed to perform all the ITS/CS activities. (you may call it the "Bible of ITS/CS). See more on "knowledge base" in chapter 3 of this document.

1.3.      Policy

1.3.1.      A written document.

1.3.2.      Signed by top management/board of directors of an organization.

1.3.3.      Demonstrates and clarifies their position on a specific topic.

1.3.4.      Includes the guiding principles on that topic for the organization, while at the same time expresses their (of the signing body) own obligation to the policy.

1.3.5.      The content depends on several variables.

1.3.6.      Responsibility for writing the document:

1.3.6.1.     ITS/(CS) Director/Manager. But is there such a manager in the organization? Commonly NOT. So the one who is responsible will be the Chief Information Security Officer (CISO or as he is commonly referred to as the "Information Security manager") who will have a double role:

A.     Writing the different chapters of the document:

1.  Writing his part. (What is it? Look at his role description and you'll quickly find out. In Israel, in the Finance sector for example his responsibility is generally confined to preserving the "C" – Confidentiality part of the triangle C-I-A).

2.  See to it that every manager in the organization having responsibility for part/parts of the ITS/CS writes his part.

B.    Integrating all the chapters to ONE INTEGRATED DOCUMENT bearing the title: "The {organization name} ITS/CS POLICY.

Why is it his task? Because he is the secretary of the ITS/CS steering committee and why is he? Because more than half of the ITS/CS tasks are concentrated around him or directly/indirectly guided or performed by him.

If there is ONE person to name, he is the one.

1.4.      Procedure

1.4.1.      A written document.

1.4.2.      Contains clear guidance how to perform a specific task mentioned in a policy.

1.4.3.      Is directed towards an identified specific audience. To make it clear, a procedure IS NOT a full description of a task performed by many units in the organization, this would be the workflow document for that task not the procedure document.

1.4.4.      Responsibility for writing the document

1.4.4.1.     The organizational department that owns the task.

1.4.4.2.     Some organizations designated an organizational department with the task of writing all the procedures for the organization. In this case, the department that owns the task is responsible to deliver the content of the procedure the department responsible to write the procedures. This department will perform the technical writing of the procedure by following the standards of the organization BUT preserve the original ownership of the department that owns the task.

1.5.      Work Order

1.5.1.      A written document.

1.5.2.      Contains detailed instructions (sometimes highly technical/step-by-step) how to perform a specific task.

1.5.3.      Responsibility for writing the document: the unit responsible to perform the task.

1.6.      Steering Committee for ITS/CS

1.6.1.      A group of top managers appointed by the CEO or one of his deputies to oversee/navigate/control the entire ITS/CS activities in the organization.

1.6.2.      Usually, the members of the steering committee represent the different organizational units responsible for the different parts of the ITS/CS. (e.g.: IT, Physical security, procurement, manpower, legal, business units and so on).

1.6.3.      The chairperson of the committee will be the CEO or one of the top managers.

1.6.4.      The secretary of the committee should be the manager responsible for ITS/CS. When such a manager does not exist in the organization (generally this is the case), the Information Security manager (CISO) should be appointed as the secretary.

1.6.5.      Meeting periodically (2-6 times a year). Optionally, the chairperson has the authority to summon additional meeting if necessary.

1.6.6.      The committee's authority includes (inter alia) inviting to its sessions other representatives from the organization or outside the organization as relevant to the subject under discussion.

2.    Responsibilities for ITS/CS

2.1.      Following the definitions above, it seems NO ONE MANAGER in an organization has the ability to act as the solely responsible manager for the overall ITS/CS activities in an organization.

2.2.      Some examples to clarify the somewhat overwhelming above statement:

2.2.1.      Manpower department is responsible for managing the lifecycle of the manpower in the organization. Part of this responsibility might be the performance of screening the candidates. One of the screening parameters should be integrity/reliability of the candidate. So it might be that the manpower department should get some input from the Information Security manager or the physical security manager or from both of them what to look for during the  integrity/reliability screening process. Take for example the case of a candidate for the role of a Information Technology System Administrator. Isn't this a highly sensitive role that requires a thorough background checks and a variety of reliability tests before deciding to hire him/her? The same goes for sensitive roles in various business departments. Take the role of the treasurer for example. What about temporarily freezing of permissions for employees taking a long vacation or deleting the permissions totally when terminating the job for good? All those activities start at the manpower department as they are responsible for the manpower lifecycle in the organization. They are also responsible to define (together with the business units) what roles exist in the organization. These roles are the foundations for permissions in the organization. And what about disciplinary actions that should be planned, made public to the employees and activated against employees violating ITS/CS policy/procedures/work orders? This too falls under the umbrella of the manpower department responsibilities.

2.2.2.      Procurement department handles all the procurement in the organization. Some of it may be Information Technology, or any procurement process that its result may be a change in the current ITS/CS level. For example: buying new smartphones for top management that will contain organizational information of some sort.

2.2.3.      Physical security department is responsible for securing people, property and information by handling the physical side of the security process. One example might be means to secure laptops while being moved outside the organizational premises. Physical security in that case might cover guidelines for how to carry the laptop, how to handle it in the private car, in public transportation, in the airport, during fight and so on. To complete the picture in this one simple example, the Information Security department will cover how to protect the data stored in the laptop (by encryption for example).

2.2.4.      Business units are the reason why an organization exists at all. A business unit is responsible for one or more organizational processes. The meaning of this responsibility should be accountability for all the aspects of the process. One of them should be managing the risks accompanied with the process. Those risks may include breach of confidential data, unreliable or incomplete data that is part of the process and therefor having to repeat the process (if the process is repeatable at all), inability to perform the process at the agreed upon SLA (Service Level Agreement). As organizations are grouped in sectors (Health, Finance, Education etc.) and therefore differ in business units I shall try to give an example that fits almost all of the organizations. The example will be the marketing department. This department is responsible for the marketing process. Today, an Internet site of an organization is a common marketing tool. Now what about the risks? It's marketing information open to all. Who bothers? Nothing confidential there. Correct. BUT what about the INTEGRITY/COMPLETENESS of the information showed to the public? Oh yeh. This is important. And what about the AVAILABILITY of the Internet site? Oh Yeh, this is important too. Have heard about Defacement? DDOS (Distributed Denial Of Service) attacks? OPISRAEL and others? No marketing manager likes the phone call from his CEO telling him the Internet site has been corrupted (defaced) by some hackers and therefore must be taken offline. Having the right measures in place against the RELEVANT threats/risks  for a process, is a result of performing risk management for that process. This risk management is the responsibility of the PROCESS OWNER. 

As more and more organizational processes become technological dependent, the owners must have the ability to take the responsibility of managing also the technological threats/risks accompanied with the process they are responsible of.

2.3.      As mentioned, the above are examples for the huge organizational task to achieve and sustain ITS/CS. I hope that at this point it is already clear that this task is an organizational task overseen/navigated/controlled by the ITS/CS steering committee, with more than one department having different responsibilities in this task. The responsibilities correspond/relate to those departments' natural responsibilities in the organization.

2.4.      Let us assume that the abovementioned conclusion is the reality. The question now to be answered is what are the building blocks? How will everyone in the organizational puzzle know what to do? The answer lies in the methodology of writing and publishing the organizational formal documents of POLICY, PROCEDURES and WORKING ORDERS. This is the next Chapter in the document.    

3.    Conveying the ITS/CS knowledge in an organization

3.1.      The name of the chapter – an explanation

3.1.1.      Why is the name of the chapter "conveying the knowledge…" and not "writing the documents"?

3.1.2.      The answer is that before writing how the organization should act upon ITS/CS, the organization has to adopt the knowledge base for ITS/CS.

3.1.3.      This knowledge base can be one of the following:

3.1.3.1.     A knowledge base prepared by a competent authority for that purpose and for this organization. In this case, it is common that the organization MUST adopt this knowledge base as this could be  part of a national law. In this case arises another question to answer: how complete is this forced knowledge base vis-à-vis the organizational task of ITS/CS? From my experience, it is generally incomplete. If so, it remains an organizational task to extend/complete the knowledge base at least to an acceptable degree for the organization.  

3.1.3.2.     A widely accepted knowledge base such as an International Standard or a group of internationally accepted standards prepared by an authorized standards institute or institutes. An example can be the ISO 27002 for organizations with common/conventional IT systems or in another example the combination of ISO 27002, ISO 27799 and a knowledge base for ITS/CS specified for medical devices for a Health Delivery Organization.

3.1.3.3.     A knowledge base prepared specifically for the organization by outside or inside professionals.

3.1.3.4.     Any combination of the above.

3.1.4.      In any case, and whatsoever knowledge base the organization chooses to adopt or is forced to adopt, the starting point is a knowledge base. NOT writing a POLICY.

3.2.      Following, the details about the documents. Trying not to repeat what I already wrote in the 1st chapter (Definitions + Interpretations).

3.3.      ITS/CS policy

3.3.1.      Should cover in "policy statements" all the aspects of ITS/CS the organizations thinks it must include. Keep in mind that formally, omitting something from the policy document prohibits writing a procedure for it. Lack of a procedure may cause that something that should have been performed might be neglected.

3.3.2.      Should be a double purpose document:

A.   For inner (organizational) use: Serves as the base for all the ITS/CS activities in the organization.

B.   For outside use: should serve as the base for testing if the organization can possibly achieve ITS/CS.

3.3.3.      When Writing a policy, four major elements have to be counted for:

1.     The knowledge base for ITS/CS adopted by the organization.

2.     The independence of the organization (e.g. if there exist/doesn't exist any legal or other binding restrictions) in addition to the knowledge base.

3.     What would be considered absolutely required to be included?

4.     What are the unique requirements (e.g. the "finger prints" of this specific organization) to be included. In other words, what are the real differences between this organizations' policy from others in the same sector.

3.3.4.       A typical ITS/CS policy document should contain the following paragraphs:

3.3.4.1.     1st Chapter: Definitions,

3.3.4.2.     2nd Chapter: General description of the organization including its main area of business & IT/Cyber components,

3.3.4.3.     3rd Chapter: The objectives of the POLICY document (it differs from the objectives of implementing the policy document),

3.3.4.4.     4th Chapter: Main threats & risks to Information, Information Technology systems and other Technological systems in the organization (why ITS/CS is needed),

3.3.4.5.     5th Chapter: Managing the risks of using Information, Information Technology systems and other Technological systems in the organization (ITS/CS knowledge base highlights – mainly a very short explanation what is ITS/CS?),

3.3.4.6.     6th Chapter: The objectives of implementing this policy,

3.3.4.7.     7th Chapter: Applicability. To whom the policy is applicable.

3.3.4.8.    8th Chapter: ITS/CS Authorities & Responsibilities in the organization (e.g. CISO, steering committee, responsibilities of various departments in the organization in achieving ITS/CS  posture),

3.3.4.9.     9th Chapter: Organizational specific highlights – principles for implementing ITS/CS in the organization. For example:

1.    Information classification,

2.    Personal responsibility for ITS/CS,

3.    Handling the human factor (inner & outside),

4.    Identification & Authentication to the IT systems/other technological systems,

5.    Separation of duties & compartmentalization,

6.    Remote access to information, Information technology systems and other technologies owned/operated  by the organization,

7.    Security (Physical, computational, procedural and human) requirements imposed on outside elements (Outsourcing, suppliers, vendors, etc.)

8.    Integrating security requirements during the processes of: procurement, development, change & upgrades of systems,

9.    Auditing,

10. Technical controls,

11. Physical security controls (ITS/CS starts with physical security),

12. Safety measures in the main computing plant,

13. Business Continuity Planning    

3.3.4.10.  10th Chapter: Deviation from the policy document

3.3.4.11.  11th Chapter: Updating the policy document

3.4.      Procedures

3.4.1.      The name of the chapter – an explanation

3.4.1.1.     Why is the name of the chapter "Procedures" and not "ITS/CS procedures"?

3.4.1.2.     The answer is the heart of the matter I wish to clarify. As defined in the 1st chapter, a procedure is written by the owner of the process. As explained before, only part of the ITS/CS activities can hold the title an "ITS/CS process". An example can be planning and managing ITS/CS surveys and penetration tests. Many other activities that contribute to achieve ITS/CS goals are performed or better said should be integrated into processes performed by a variety of departments in the organization. Procedures that are written by different organizational departments, describing their activities while integrating their ITS/CS requirements, are NOT ITS/CS procedures. They are procedures written and performed by those departments according to their roles in the organization. And what about ITS/CS? This will be explained in this chapter.

3.4.1.3.     From here on I make no difference between a procedure and a working order. It is left to the reader or the implementer to make the distinction when it is needed to have both (meaning having a procedure and a working order having the same title) and when one of them will be enough.

3.4.1.4.     I'll have a separate chapter explaining the unique situation when an organization or a department is ISO 9001 certified.

3.4.2.      ITS/CS procedures

3.4.2.1.     Identify the real activities that can be labeled "ITS/CS processes". I already gave the example of ITS/CS surveys and penetration testing. Another example can be planning the annual work plan of ITS/CS, and so on.

3.4.2.2.    For each Identified ITS/CS activity, a procedure should be written.

3.4.2.3.     Who does it? As I mentioned before, generally this is the CISO. He is the one person in the organization that his job description is centered around ITS/CS activities. BUT he is not the only one in the organization to have ITS/CS duties to fulfill. What about the others? The CISO is a central figure in their ability to know what to do, BUT he is NOT the owner of their processes and therefore is NOT writing their procedures NOR is he writing procedures for them or instead of them. What he does do is to guide them. About ITS/CS guidance in the next sub chapter.

3.4.2.4.    How to write a Procedure? Doesn't have to be an ITS/CS procedure. The following guidance is relevant for all kinds of procedures.

1.    Write all procedures in the organization using ONE format. The content must vary of course, but the structure (the chapters' names) should be identical throughout the organization. That's the best way to ensure simplicity in writing, reading, understanding and implementing. As the saying goes: Keep It Simple.

2.    An example for an organizational format for procedure's chapters structure & content implementing the above advice:

A.   1st Chapter: GENERAL – explains the reason/s what is the need to write this procedure.

B.   2nd ChapterOBJECTIVE/S – What is the objective or what are the objectives to achieve in the activity or activities described in the procedure.

C.   3rd ChapterDEFINITIONS – defining terms needed for understanding the procedure. (Optional. The meaning is that the 3rd Chapter will always be DEFINITIONS, but if there are terms to define, next to the chapter's heading the word ":NONE" will appear).

D.   4th ChapterRESPONSIBILITY – who is responsible for writing/updating the procedure.

E.   5th Chapter -   APPLICABILITY – to whom in the organization the procedure applies.

F.    6th Chapter - METHOD – this is the main body of the procedure. This chapter describes as clearly as possible the activity/activities that have be done by those that are mentioned in the 5th chapter. (see above).

G.   7th ChapterAnnexes: forms, guidance and other documents that the procedure's writer thinks are of relevance to this procedure.

3.4.3.      ITS/CS guidelines/requirements

3.4.3.1.     An assumption: The CISO is the key figure in the ITS/CS activities in the organization. What does this mean?

The practical meaning is that he has to write guidelines to other departments in the organization. I use the word: "guidelines", because I think this is the right word, BUT those guidelines are actually ITS/CS requirements.  

What is the content of those guidelines? What is their purpose?

3.4.3.2.     ITS/CS guidelines – content:

A.   An extraction from the knowledge base.

B.   For each department, the relevant information should be extracted.

3.4.3.3.     ITS/CS guidelines – purpose:

A.   Each department according to its natural role in the organization should integrate their ITS/CS guidelines into its procedures.

3.4.3.4.     ITS/CS guidelines – results (overall):

A.   Procedures/working orders for all the departments include the ITS/CS guidelines extracted from the adopted organizational knowledge base.

B.   ITS/CS activities are integrated into the processes of all the departments in the organization.

3.4.3.5.     There might be left some special guidelines that are directed towards the entire organization. If it is possible I suggest/prefer to integrate those guidelines whenever possible in other departments guidelines and NOT leave them as ITS/CS singular/special guidelines. The best example would be ITS/CS guidelines for the IT end users. ITS/CS guidelines for end users should be integrated into the overall guidelines to the employees that are published by the man power department. This is the "main rout" the organization chooses to convey to the employees their rights and duties. Why not use it to convey their ITS/CS duties? They are different from other duties? Well NOT. This is my message, they are just part of being employed by the organization, not more but NOT LESS.

3.4.3.6.     Enforcement the implementation of ITS/CS guidelines throughout the organizational departments:

A.   Why should any department integrate those guidelines? Who the hell is the CISO to guide all the organization? From where does the CISO draw his authority to guide?

B.   Two simple answers:

1.     From the ITS/CS POLICY document. The policy document should include the CISO's authority to guide the organization.

2.      The ITS/CS steering committee.

C.   It is recommended that the yearly audit plan of the internal auditor of the organization, should permanently include auditing the integration & implementation of ITS/CS guidelines as performed by a sample of organizational units.

D.   If any department is ISO 9001 certified (Quality management), then the ITS/CS processes enforcement might be easier as there should be in place inherent processes such as the Internal Quality Audits, Management reviews, corrective actions and more. The interrelation/interaction of ITS/CS and Quality Management as followed after the ISO 9001 family of standards deserve a broader treatment than just a marginal reference as above. It will done later on.

4.    Two examples:

4.1.      The topic: HARDENING OF IT COMPONENTS

4.1.1.      Professional Knowledge Base

4.1.1.1.     Hardening documents.

4.1.2.      POLICY

4.1.2.1.     In the organization's ITS/CS policy appears something like that:

"… IT/Cyber components (like Operating systems, Data bases, Communication components, Infrastructure S/W) that serve in the production environment will be hardened using hardening documents supplied and certified by the CISO"

4.1.3.      PROCEDURES/WORKING ORDERS

4.1.3.1.     For the CISO. The procedure/working order includes the following steps:

1.     Find out what IT components are used in the Organization and establish a procedure to be notified before any changes are taking place,

2.     Prepare the correct hardening documents,

3.     Set a working procedure with the IT manager responsible for the hardening operations in the IT department.

4.     Deliver the Hardening documents periodically.

5.     Get notice that the hardening document arrived and Time table set for start/finish the process of hardening.

6.     Get notice the hardening process ended.

7.     Check the IT component that was hardened if the result of the hardening process meets the requirements and act upon the audit results. 

4.1.3.2.     For the IT Manager  responsible for performing the hardening process:

1.     He should write a corresponding procedure/working order that describes his "chain of operations" when he receives a new or updated "hardening document".

4.2. The topic: SECURE DEVELOPMENT REQUIRMENT

4.2.1.      Professional Knowledge Base

4.2.1.1.     The "secure coding practice document" certified by the CISO.

4.2.2.      POLICY

4.2.2.1.     In the organization's Information Security policy appears something like that:

"… In any contract with a vendor or bid a section of ITS/CS will be included. Implementing ITS/CS requirements is a condition for establishing the engagement"

4.2.3.      PROCEDURES/WORKING ORDERS

4.2.3.1.     For the CISO. The procedure/working order includes (inter alia) the following:

1.     When writing code is part of the procurement / bid process than one of the requirement is "using practice of secure coding certified by the CISO"…

Or

"Those taking part in designing and writing code have a formal training in secure coding practice certified by the CISO"

4.2.3.2.     For the Procurement manager  responsible for the procurement process:

1.     In his procurement procedure/working order the CISO's requirements/guidance should be integrated.

2.     The contract signed by the vendor should include the relevant secrecy and ITS/CS requirements certified by the organization.

אין תגובות:

הוסף רשומת תגובה