Governance by Design: How to Manage Cybersecurity Risk

The following is a “book report” on How to Manage Cybersecurity Risk.

Suggested Reading Focus

This security leader’s roadmap is designed to be instructional for a security leader in their first assignment as chief information security officer (CIS) in a mid-sized firm. The three sections are arranged by maturity level.

You may want to start with Section II titled Planned, which describes the basics of an information security program. Section III titled Managed contains example process documents with an overarching integration framework, essentially the Plan-Do-Check-Act continuous improvement cycle. There is a brief section titled “Manage Regulatory and Contractual Compliance” you may find interesting primarily as a contrast between your understanding and that of a security professional.

Discussion Topics

Plan the Security Program – Using the organization’s authoritative policy system, briefly (1-2 paragraphs) describe the Program, then define the requirements and assign the responsibilities.

Define Objectives – Protect Information. Protect Information Systems

Design Defense in Depth – Establish the processes, systems, and human capabilities to achieve the objectives.

Manage the Security Program – Formally document the integrated processes to operate the security program with an underlying rhythm of Plan-Do-Check-Act.


Key Processes – Plan Do Check Act

Risk Management – formalize identification of information security risks (few items) with organization executive. Assemble data from other Key Processes and external sources to analyze risk. Perform risk analysis. Identify control improvement options, analyze potential risk reduction, and develop business case incorporating risk analysis based on proposed improvement. Direct Policy Management to oversee resulting control improvement projects.

Policy Management – maintain a security controls framework of control requirements with security domain applicability (i.e., personnel, physical, network, computing host or application security). Manage security control implement and security control improvement projects. Also provide control requirements to Assessment Management.

Assessment Management – periodically measure, by various means, that security controls have been implemented as required across all security domains. Also perform structured or ad-hoc assessments to discover potential new vulnerabilities. Provide compliance and ad-hoc assessment status to Risk Management.

Incident Management – manage the incident life cycle leveraging detection and response capabilities. Develop and utilize incident intelligence sources to anticipate potential actions of identified threat agents. Provide status of ongoing incidents, data about exploited vulnerabilities, and summary of threat intelligence to Risk Management. Also identify potential (and sometimes urgent) security control improvements to Policy Management.


Terminology

In my first draft I had much of the Appendix at the front of the book. But it was pointed out that the reader might not find their way to the real beginning of the story. Information security practitioners are all very diligent in their work, yet they exist in stove pipes. One result is that some very basic terms (risk, threat, vulnerability) mean different things to different security practitioners. Another example is that in the Incident Response domain, the words incident and event mean the exact opposite of dictionary definitions.
The Appendix is my proposed “correct” meanings and use of the information security vocabulary, including the popular word cybersecurity.

Lessons Learned

The layers of controls were just described from the inside out. However, while reacting to Internet threats it is natural to emphasize the outer layer of network controls. With threats escalating and the market for technical solutions expanding, the result can be a hard, crunchy shell around a soft center. This may seem analogous to the fortress castle with the strongest protection at the perimeter, the reality of Internet is that some threat communities have substantial resources resulting in frequent attack leveraging high capabilities; some will get through the perimeter. It is paramount to have effective security controls for all system layers.

The requirement for using complex passwords have been the best practice for many years. Unfortunately, the goal has been difficult to achieve, relying on users to remember multiple passwords that may not be particularly memorable. One of the fundamental control improvements relating to the increased capabilities of threat communities is the implementation of two-factor authentication.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Information Systems Protection Requirements

When designing layers of control to protect the confidentiality, integrity and availability of information systems, it is necessary to start with the information and business systems needing protection, designing layers of protection from there. This way you ensure that all the controls are aligned to the objective. The resultant requirements are documented in your organization’s security control framework. Reference Figure 2 as we look at the layers of controls.

protect_information_systems

Figure 2 IT Security Design Diagram

The fundamental controls for protecting information apply equally to protecting electronic documents and business systems: marking sensitive information and using personnel security controls for people authorized to create, use and share the sensitive information, and who use business systems.

The next layer of controls is physical controls for the hosts containing documents and business systems, which are typically grouped together in a shared hosting environment (in the past these were simply called data centers). A robust physical perimeter and doors controlled to permit access by a very few trusted individuals helps assure confidentiality, integrity and availability of the information systems. In addition, power backup is typically provided to enhance availability.

Business systems may be designed to directly authenticate users or they may rely on an infrastructure authentication capability such as Microsoft Windows Active Directory. Robust design and implementation of the business system application is necessary to reduce vulnerable user interfaces; this is especially relevant should the system be directly accessible from the Internet. Electronic documents are often stored using capabilities such as Microsoft Windows file sharing, which also takes advantage of Active Directory. The secure configuration of the information system host is the next layer of protection.

The information systems in some organizations rely on a single sign-on authentication system, and centralized identity data that includes people data attributes useful in making access decisions. The identity data may be integrated in Active Directory or could be part of a high availability directory service. Integrity and availability of these systems, along with appropriate data quality, are objectives of security controls for this component.

We now move out of the shared hosting environment into other organization facilities. We’ll assume that physical controls for information protection requirements are already in place. These provide some control for the network cables within a building as well as the user workstations connected to the network. Wireless communication between the network and the user is typically encrypted and has authentication to control its use. Network traffic between buildings could by physically protected where practical. But typically, this traffic travels through public networks, even if a dedicated communication path is provided. Point-to-point encryption is an option in these circumstances.

In some cases, the organization’s information systems (or some subset) are isolated from the Internet, so the organization physical perimeter is the final layer of protection. Otherwise, the final layer of controls is the interface between the organization’s information systems and the Internet, which is provided by perimeter systems. Some components include firewalls, antivirus and network traffic monitors. Often employees or other users can access the organization’s information systems through the perimeter. This requires robust authentication of the external users and more stringent host an application security controls to compensate for the increased threat event frequency associated with the perimeter. Some organization choose to isolate the external-facing information systems in a network segment that excludes normal internal organization network traffic.

In the last section, we defined information protection requirements to be used when you design your security control framework. Those requirements apply equally to information system. But we have added information system components and the protection objectives of confidentiality, integrity and availability. These requirements will also be composed of short requirements stated as a verb-phrase, followed with additional detail relevant to your circumstances.

Some of these details are drawn from regulatory requirements. The following illustrates requirement statements.

  • Define confidentiality, integrity and availability requirements for business systems.
  • Establish electronic identifier for network, host and application access control.
    • Employ a single badge for physical and computing access.
    • Require separate identifiers for users with privileged access.
  • Protect sensitive information during use and at rest in information systems.
  • Controlaccess to organization networks, hosts and applications.
  • Limit access to sensitive information to authorized users.
  • Controlauthorized access to business systems.
  • Destroy sensitive information when no longer needed.
  • Monitor for and respond to potential intrusions to information systems.
  • Investigate and dispense corrective action to individuals misusing information systems.
  • Manage and monitor suppliers providing information systems support.
  • Prepare for disasters with offsite backup storage and geographically separate hosting.
  • Push security requirement to transportation security.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Security Systems

Finally, we come to the security systems that are trusted to enable a variety of physical, computing and network security controls. This include capabilities such as card access systems for the physical perimeter, network perimeter firewalls and access control. Also included are centralized identity, authentication, key management and authorization systems that are leveraged to support computing and network security.

Prior to the mid-1990’s the organization’s information systems were entirely contained within the physical perimeter. Many organizations were swift in their adoption of the internet, with the desire to have a web presence and engage in e-commerce. Soon it became apparent that they had moved into a bad neighborhood containing threats that no longer had to overcome the organization’s physical perimeter in order to seek confidential information, deface web sites, and disrupt systems’ availability. Worse yet, the internet became awash with viruses attempting to attack systems, potentially adversely impacting confidentiality, integrity or availability.

The computing and network perimeter is much like the physical perimeter, providing a foundation for protecting the confidentiality, integrity and integrity of the information system. The first step is to limit the number of connections to the internet, which is analogous to access-controlled doors on the organization’s physical perimeter. As with doors, the incoming internet traffic must be screened for what is permitted and what is not. It is also common to control traffic leaving the organization, most commonly to prevent access to internet locations known to present a threat to the organization.

Organization users may access the internet anonymously (e.g. access to a public web site) or they may have authenticated access to an internet location. The data flows between the user and the internet must be allowed to flow both ways through the perimeter. Similarly, there may be users at internet locations who are permitted to access systems inside the organizations perimeter, such as employees working at home or on travel, and organization customers or suppliers who need access to organization systems in order to provide status and billing for materials being provided, or ordering and checking status on products being purchased. Fundamentally these all require an authentication at the perimeter in order to establish the connection. But what can arise is the burdensome requirement for a series of logons, such as logging on to the supplier’s information system, logging on to your organization’s perimeter, logging on to the host, and finally logging onto the desired application.

The ideal is to achieve a single sign on experience for users, employees as well as suppliers and customers. It is common to achieve single sign on for a hosting environment, which is commonly supported by Windows or UNIX operating systems. Applications can be configured to leverage the host authentication. It is also possible for one organization to trust the authentication of another organization. The Security Assertion Markup Language (SAML) can be leveraged for this purpose, accompanied by the establishment of the trust relationship between organizations and their information systems.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Computing and Network Security

Users’ access to the organization’s information systems is the next layer of control, composed of the network, host, application and database components. For the moment, we will use the case where the user is at work in the organization’s office, i.e., they have gone through the physical perimeter. Now they must gain access to the information system, much like gaining access to a container protecting information. The sign on requires the user to identify who they are (the userid) and validate that identity through something they know or have (e.g., password, pin, access card with chip). This process may have to be repeated in order to access different computers or to access specific applications. The risk to confidentiality, integrity and availability of information within the information system is reduced by the strength of the access controls, making it more difficult for unauthorized users to gain access. Today two-factor authentication has become necessary due to the high capabilities possessed by many threat agents.

Access administration is an important component of maintaining the difficulty for unauthorized users to gain access. It is quite natural to desire the ability to quickly authorize users to have access to everything they need to do their job. But if not managed properly, they may have access to systems not required for their job, increasing risk to confidentiality, integrity and availability. But often overlooked is the need to remove access when it is no longer required. Over a long career in a large organization, individuals gradually build up a large collection of authorized accesses. Even in organizations with careful screening practices, there is some small frequency of insiders who may become motivated to steal sensitive information. With poorly managed access, the information is effectively 100% vulnerable to these insiders. Obviously, they are continuing to act despite the deterrence of prosecution if they are caught.

High privilege accounts used by system operators and trusted processes are a necessary to manage and operate hosts. Like the special containers needed to protect security systems within the data center, these accounts need special controls to limit their use. Accounts with passwords are also needed to run business system applications, but there is the obvious problem of changing passwords regularly, and the need to have the password available to applications that initiate other processes.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Physical Security

Containers, from cabinets to secure buildings, play a similar role for protecting information systems as for protecting information. The hosts processing information are housed in facilities that effectively are security containers designed to protect the confidentiality, integrity and availability of the information systems. The confidentiality of data within computers is protected by limiting authorized access to devices.  The availability of systems is improved when housed in large data centers that are placed in locations that consider reduced threat event frequency by acts of nature (earthquakes, floods, wind damage) and provided with backup power that responds to reduce the impact of threat events. Finally, security control systems are also located within the facility. Since the integrity of these systems are the foundation for the security controls across the organization information system (e.g., encryption key controls), they may be placed within a container in the data center to further limit who is authorized access.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Personnel Security

Personnel security are the controls that enable people to play their foundational role in protecting information and information systems of the organization. All people have responsibilities to properly use the protective controls. Some people are additionally trusted to support the correct design or operation of security controls. Thus, personnel security is the foundation upon which all other controls operate. This section discusses key elements of personnel security and the associated roles.

Screening

Applicants for job openings are screened to prioritize the best qualified candidate to hire. The security screening is intended to confirm the candidate’s trustworthiness and can vary depending on the level of trust associated with the position. Screening can involve credit checks and inquiries into police records. Formal organization criteria should be applied by the person in authority to accept or reject a candidate.

Establish Duty to Protect

On the first day, every new employee typically signs an employment contract. One component establishes their duty to protect the organization’s proprietary information and information systems. There may be an additional information protection agreement or a system use agreement signed during an employee’s career, such as when government classified information is involved.

Security Briefings, Training and Awareness

The security leader is challenged with the fact that people are the first line of defense and are also as a group the weakest element of defense. Illustrative examples include allowing tailgaters through physical access controls, leaving a list of userids and passwords beside their workstation, and clicking on links within (what should be) suspicious SPAM email.

Your organization’s first day employee training needs a component on security practices relevant for everyone. You will also want specialized briefings for other roles such as managers and system administrators. The objective on the first day is that organization executive’s security expectations are understood and internalized by every new employee. Avoid death by PowerPoint, which will win no converts.

Additional training is appropriate when specific security skills must be learned, such as secure application development practices. It is unfortunately common for organization to invest in slick training modules and an array of current topics followed by a quiz to confirm skills. You will want to analyze the risk reduction benefit before proposing the investment in both development time and employees training time.

Promote Awareness

Employees receive education, training and awareness materials with the expectation that they will be equipped to play their very important role for information security. Do not underestimate the importance or difficulty of influencing user behavior. It is best to prioritize the few user behaviors that are of greatest importance, then reinforce them at reasonable intervals through the chain of control. For example, if wearing the organization badge is a key control, then the organization executive must model behavior by always being seen wearing the badge where it is clearly visible.

The organization executive must “walk the talk” on following security practices. Executive staff will naturally copy the executive’s behavior. Whenever some security incident or new practice is shared with employees, the organization executive must be the primary speaker, with you sufficiently visible on explaining details to reinforce your role.

Very selective use of security reminders can help users so long as they are relevant and helpful. By contrast, use of generic posters, such as “remember security” with a comical picture, is more likely to decrease your credibility then have any beneficial impact.

Finally, there will be instances when individuals fail to follow security practices. This results in an adverse impact to the organization. Your investigations organization presents findings to the disciplinary function who determines appropriate disciplinary action for the individual. It is valuable to publicize a summary of the investigation (non-attributed) including the disciplinary action as a practical reminder of the importance of personnel security and the consequences of failures.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth