The following is an excerpt from Building a Practical Information Security Program by authors Jason Andress and Mark Leary and published by Syngress. This section from chapter 9 explores deploying information security compliance processes.
Organizations confronted with multiple regulatory requirements, as well as their own security policies, are often stretched about how to meet so many laws and regulations obligations. Some organizations allow information security compliance to be addressed by more than just the information security function. For example, they may allow the business units most directly affected by the regulatory requirement to perform their own compliance assessment in addition to the organizational compliance assessment and perhaps even a third Internal Audit assessment. As a result, efforts are often incomplete, redundant, duplicative, and even costly. In addition, these organizations may not have the rigor or discipline to execute an evidence-based audit and may simply "self-attest" to a state that is not reflected by reality.
A piecemeal approach may also undermine the integration of information security compliance into other institutional compliance programs, such as information privacy and institutional governance. For example, a decentralized approach to information security compliance management could make it harder to monitor and report the controls that are increasingly a part of audits. For all of these reasons, organizations should consider a unified approach to meeting information security compliance. By using a unified approach to information security compliance, organizations subject to multiple information security laws, regulations, and guidelines will be able to comply with all of them at one time. This is commonly known as a "test once, comply many" approach. By determining which organizational policies, laws, and regulations are applicable, the compliance team then conducts a comprehensive compliance analysis that covers these multiple requirements, and then recommends the minimum level of required safeguards to meet these requirements. Where there are conflicting requirements, such as password strength, encryption strength, or audit settings, compliance should focus on the most stringent requirement as a "high water mark."
Step 1: Determine Applicable Security Policies, Laws, and Regulations
The first step in the process is to determine the security policies, laws, and regulations applicable to the organization. This is an important preliminary step to set compliance's scope. This determination not only will assist in preparing the compliance assessment plan but also will guide the compliance assessor in selecting the information to be collected and the type of compliance assessment methodology that should be performed.
Identifying the appropriate requirements is not always a straightforward process. Depending on their activities and operations, organizations can be affected by a number of laws and regulations. In addition, some policies, laws, and regulations apply only to specific organizational departments or functional activities. In other cases, more than one requirement on the same control area or domain may be applicable. Once the applicable information security requirement law is determined, an appropriate information security risk or compliance analysis framework, such as International Organization for Standardization (ISO) 27004 or National Institute of Standards and Technology (NIST) 800-series, can be selected. It is often worth the effort to map these several requirements when the target of evaluation is governed by several information security framework requirements. For example, if the information system password authentication requirement for system access is six characters for one requirement, eight character for another, and eight characters and special characters for yet a third, it may be helpful for a single requirement (the most stringent) and evaluate the system accordingly.
Building a Practical Information Security Program
Authors: Jason Andress and Mark Leary
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
The analysis model to be used will depend on the organizational type, applicable information security requirements, and information security framework aligned to both type and requirements. An example is a government agency that is aligned to NIST 800-series may require the compliance framework of NIST Special Publication 800-37 "Guide for Applying the Risk Management Framework to Federal Information Systems." A second example is a commercial entity that is aligned to ISO 27000-series may find the ISO 27004 method of risk management more appropriate. Some helpful qualifying questions can be asked to determine the scope and focus of the compliance assessment:
- What is the type of organization (i.e., privately held, publically traded, government agency)?
- What type of industry or markets does the business participate in?
- What type of information is stored, processed, transmitted?
- What processes have legal or regulatory implications (i.e., does the organization provide health care service, process credit cards for payment purposes)?
Step 2: Prepare the Information Security Compliance Management Plan
After the information security compliance requirements are identified, a thorough compliance management plan is prepared by the compliance manager. This management plan is used to guide the individual compliance activities -- number and type of compliance audits by business unit or entity, schedules of the compliance activities including senior leadership reviews, policy and supporting procedure and guideline updates, staffing mixes and training requirements for the conduct of audits, and any technology road maps for tools used during compliance audits. This is traditionally an annual process, adjusted periodically as schedules or resources become released or constrained.
Step 3: Data Collection and Asset Identification
Information gathering includes the identification of assets to be protected, document review, and interviews with both management and other stakeholders. The individuals who are interviewed may be line-of-business personnel, functional staff, senior management, legal counsel, audit and compliance personnel, and, of course, the IT staff. It may also involve vendors and other third parties, particularly if certain functions are outsourced but are in scope of the audit. The scope of the interviews will differ slightly, depending on the state, federal, and international laws and regulations that are applicable.
The data collection process will review information security technical, operational, and risk management practices, processes, and procedures. Technical security reviews includes asset management, configuration management, security management, as well as assessment of IT architecture, application, and network policies. Operational security includes vulnerability management, patch management, incident management, business continuity/disaster recovery, and other operational service or functions. Risk management reviews cover policies and procedures, risk assessments, compliance audits, third-party security reviews, and other analytical functions in managing and governing IT security risk. It is also important to ensure that physical security is included to evaluate compliance for the protection of information security facilities.
Read an excerpt
Download the PDF of chapter 9 in full to learn more!
Evidence is collected through either manual or automated methods, mainly documentary, interviews, and automated collection through system or security tools. Documentary evidence include written policies and procedures, Internet policies and procedures, sanctions and disciplinary procedures, and other documents evidencing organizational efforts to protect information, such as contracts, procedures for assigning, modifying, or removing access rights, and password-management policies. Auditors will generally ask chief information officers, chief technology officers, and IT administrators a series of pointed questions over the course of an audit. Interviews are particularly helpful to elicit how the program is implemented and personal observations of its effectiveness.
Some important areas to cover during interviews are:
- the individual(s) responsible for information privacy and security (organizational and departmental levels);
- information assets that need to be protected to support the business and operations;
- how the information security program is structured; how compliance policies and procedures are implemented and integrated with other activities;
- how well departments work together to ensure that information security practices are uniform; which third parties have access to the institution's information system.
IT administrators prepare for compliance audits using event log managers and robust change management software to allow tracking and documentation authentication and controls in IT systems. These tools' output may include what users were added and when, who has left the company, whether user IDs were revoked and which IT administrators have access to critical systems. Beyond the common system management tools, the growing technological landscape of GRC software now enables the IT staff to quickly show auditors that the organization is in compliance.
Step 4: Perform Risk Analysis
In Step 4, the collected data are integrated into the selected risk analysis (e.g., organizational, ISO, or NIST frameworks). The quality and effectiveness of compliance risk analysis results will depend heavily on how much data were collected in Step 3. The compliance risk analysis includes technical, operational, and management security including organizational context and considerations.
Step 5: Report Findings and Recommendations
The results of the compliance risk analysis are then documented in an information security compliance audit report. The information security compliance audit report should list organizational context, identified threats and vulnerabilities, current controls, and control effectiveness or even absence. To ensure relevancy and due diligence, the information security compliance audit report should reference specific sections or paragraphs of the applicable security regulations for both existing and missing controls. The plan should encompass all the safeguards identified in the risk analysis and also include procedures for the selection of security system vendors or service providers, and the installation of security systems or services. To maximize the report's effectiveness, the information security compliance audit report should also contain an action plan and milestone schedule for implementing the necessary changes to attain compliance with applicable laws and regulations.
Step 6: Execute the Implementation Plan
The implementation plan provided in the information security compliance audit report is executed in this step. At this stage of the compliance process, it is important to integrate all new controls for meeting information security compliance with other compliance efforts currently under way (e.g., financial, contracts, legal). The integration of compliance programs will ensure uniformity and consistency across the compliance activities, or at the very least avoid duplication of effort redundancy. For example, rationalization and harmonization of compliance activities to support information security regulations can potentially save time, money, and other resources and procedures.
Step 7: Periodically Monitor, Test, Review, and Modify the Information Security Compliance Management Program
Information security, as any IT activity, is an ongoing process. Maintaining a state of continuous compliance requires focused effort and coordination. Due to the changing technology landscape, information security functions should continuously monitor and test the effectiveness of implemented controls against known or potential threats. This involves testing applications and networks or applications against emerging threats and recommending actions when threats are present and vulnerabilities are discovered. Organizations that are accustomed to traditional approaches of information security compliance that focus primarily on annual audits may find it difficult to build in the people, processes, and technology necessary to support sustained compliance. Organizations should perform periodic compliance risk analysis to validate that control selection and implementation features continue to be reasonable, appropriate, and effective.
About the author:
Jason Andress (CISSP, ISSAP, CISM, GPEN) is a seasoned security professional with a depth of experience in both the academic and business worlds. Presently, he carries out information security oversight duties, performing penetration testing, risk assessment, and compliance functions to ensure that critical assets are protected. Jason has taught undergraduate and graduate security courses since 2005 and holds a doctorate in computer science, researching in the area of data protection. He has authored several publications and books, writing on topics including data security, network security, penetration testing, and digital forensics.
Mark Leary has more than 30 years of experience in security management and technical intelligence holding several positions of responsibility in IT security management for government agencies and commercial firms. Mark currently is Vice President and Chief Information Security Officer for Xerox Corporation. Marks holds a Doctorate in Management, an MBA with a concentration in Project Management, Dual Masters in Security and IT Management, and several professional certifications (CISSP, CISM, CGIET, and PMP). He also serves as an Adjunct Professor for the University of Maryland and Industry Advisor to the Rochester Institute of Technology.