A CISO's lessons in building a security plan

By Paul Gillin, Contributor 16 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

You know you've got a security problem but you don't have the budget to engage a consulting firm for a comprehensive security audit. What's an IT security pro to do?

In the case of Hanover Insurance Group, a $3 billion property and casualty insurer, the answer was to get creative. Jeff Bardin, newly hired as CISO at Hanover in late 2004, went to the library of publicly available assessment tools and used the RFP process creatively to assemble a comprehensive list of vulnerabilities. His team then used that data to alert top management to the risks and to attack holes methodically, beginning with the low-cost/high-benefit options and working down.

Bardin, a former CIO, faced numerous security shortcomings when he arrived on the scene. Encryption use was spotty, peer-to-peer software use was potentially exposing proprietary data to outsiders and one employee was even buying and selling guns over the company's Internet connection.

Bardin and his team kicked off a top-to-bottom assessment of the security landscape using proven and freely available tools. The IT staff filled out a National Institute of Standards 800-26 Assessment questionnaire that had been downloaded and modified with terms borrowed from the Capability Maturity Model (CMM), a widely used software best practices benchmark. "I knew the IT staff would understand the questions because Hanover was already a CMM Level 3 shop," Bardin said. The results helped identify deficiencies in IT practices and processes.

Helpful hints The key to raising awareness of information security in an organization is to communicate up, said Jeff Bardin, CISO at Hanover Insurance Group. Here are a few of his tips. Seek out a trusted sponsor who knows how key managers will react to your message Align your security priorities with business objectives so you tackle the big payoff problems first Make sure you know how much the project will cost Know top management's priorities and make them your priorities Share data beforehand so there are no surprises Know what the competition is doing and don't attack projects that are too far out of line with the market's thinking

The IT organization evaluated itself against the IT Infrastructure Library (ITIL) and Information Technology Service Management standards for service level performance. And Bardin started teaching mini-sessions on the ISO 17799 security standard. The objective was to attack the problem of data leakage. "I knew that if you have strong IT operating standards your security is going to be much better," Bardin said.

While the best practices education we going on, Hanover's seven-person security staff conducted a comprehensive audit. "We turned over everything, scanned everything, did physical walkthroughs, even sat in CEO's chair at night," Bardin told an audience of IT managers at the Babson College Center for Information Management Studies recently.

The results of the surveys were rolled up into a series of easily understandable tables and charts showing how Hanover measured up against the standards in key security areas. At the same time, the team was creatively leveraging the RFP process to gather more data.

Bardin invited vendors to come in and demonstrate their intrusion detection and prevention products but to do it in Hanover's production environment. The result showed that while Hanover's inner network hadn't been penetrated, the exterior was under assault.

The tests hit home with corporate management. "It showed that we may be in Worcester, Mass., but we're under constant attack from all over the world," Bardin said. "It raised awareness." He cautioned that IT pros should be up front with vendors if they plan to use evaluation data in this way.

The security team compared the vulnerability assessment against a list of the biggest risks to Hanover's business. The results were mapped into four quadrants on a cost/risk chart. That set the priorities and the team immediately set about tackling the best opportunities.

The presentation to company management had a few more bells and whistles. Bardin sought out data on which security projects other insurance companies were attacking. He also found a Gartner chart showing that security investments were likely to decline over time after the initial holes were filled. That made for a compelling argument for a stepped-up investment in security. And while Bardin said he'd always like to have more money for security, the company's awareness of the issue has improved from the top down.

Hanover still hasn't reached its goals of a "zero-incident culture," but as a result of the comprehensive assessment, it has its plans in place and 97% of the employees have taken compliance training. "We know where we stand relative to most of our vulnerabilities," Bardin said. "We have a real good idea of where the gaps are and what we still have to fill."

Paul Gillin is a technology writer and consultant and former editor-in-chief of TechTarget. His Web site is www.gillin.com.

Tags: ISO 17799,  Information Security Policies, Procedures and Guidelines,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT ISO 17799 How to write a risk methodology that blends business, security needs IT auditing applications and tools for ISO 27002 certification Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? How do ISO 17799 and SAS 70 differ? How to apply ISO 27002 to PCI DSS compliance How to migrate from SAS 70 to ISO 27001 Should ISO 17799 play a role in risk assessment? Information Security Policies, Procedures and Guidelines Twitter risks, Facebook threats trouble security pros Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence DHS fills National Cybersecurity Center post New partnerships, creative thinking help security bust recession Experts optimistic of Obama cybersecurity plan Security Awareness Training and Internal Threats Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence Tabletop exercises sharpen security and business continuity Security policies need simplifying, expert says Microsoft IE 8 security only benefits educated users Security book chapter: The Truth About Identity Theft How to integrate the security of both physical and virtual machines Laid off workers likely to steal company data, survey warns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary