Information Security Top-Down

December 1, 2004
/ Print / Reprints /
ShareMore
/ Text Size+
This is the era of cyber terrorism1, spamming2, identity thefts3 and regulatory compliance requirements4. Enterprises are and need to be more conscious about how they expose themselves to the outside world; how they trust outsiders as well as insiders, what they do with consumers’ data; and how they keep their business sustained, despite disasters5. While reactive enterprises just counter threats that they were victims of, proactive organizations have started leveraging the investment on security to business value additions6. The challenges to enterprises vary from simple loss of customer confidence to legal implications7. The reports on security incidents8, identity thefts3 and government initiatives in the last decade are direct evidence for how serious enterprises have to be.

Challenges and remedies

Many private9,10, academic8 and federal initiatives11 are trying to address the growing needs and challenges faced by the enterprises. Each initiative differs in its objective, scope, comprehensiveness and target audience. Some are simple policies and procedures, others are more comprehensive recommendations and best practices9,10,11,12. The laws listed in Table 1 demonstrate that privacy of user data, information confidentiality, integrity and availability of data or service and means to realize them are the central demands. While some legislation requires extensive confidentiality mechanisms to be put in place, others emphasize data availability and other operational procedures. Enterprises that fall in one of the regulated categories will need to have the infrastructure and mechanisms in place to guarantee compliance. Having identified the reasoning, remedies and repercussions associated with information security, enterprises need to develop due diligent practices and programs. Figure 1 is the scenario; Tables 1 and 2 enumerate the requirements.

Bottom-up vs. top-down approach

Organizations have dealt with the problem of security management through varied means. Traditionally, enterprises have adapted a bottom-up approach, in which operational staff initiate the process then propagate their findings upward to management as proposed policy recommendations. As management has no information on what is the threat associated, its implications, idea on resource allocations, possible return and method to implement security, this approach has at times sparked a fiasco.

On the contrary, a reverse look on the entire issue, the top-down approach is proving to be highly successful. Here, management understands the seriousness and initiates the process, which is then systematically percolated down to operations staff.

Executive management

The top-down approach begins with management establishing a framework for initiating and implementing security practices in the enterprise. Management can consult the Federal Information Security Management (FISMA) and ISO 17799 standard. FISMA highly emphasizes the need for management hierarchy and a delegation of roles. Though it has been at federal agencies, it can help private enterprises too. ISO-17799 can help in implementing a security program throughout an organization. As an inherent duty of the executive, controlling costs and devising a strategy to maximize return represents a paramount objective. To meet this objective, management must align their business objectives with the recommendations of new standards. Methodologies8 such as the Security Attribute Evaluation Method, developed by Carnegie Melon University, and fault tree analysis can help to perform cost benefit analyses and risk assessment studies. Such methods can help to choose one security architecture over another.

Security policies and procedures are the starting point of establishing a central security initiative.

Operations

Mainly constituted by physical administrative and technical security, the operations layer ensures secure operation of the components integrated into an infrastructure. Disaster recovery procedures5, business continuity planning, remote backup facilities, secure integration of application, middleware, back-end-layers and documentation of various infrastructure elements have to be in place to meet operational security and continuity. The National Institute of Standards and Technology (NIST)10 and CERT8 have published several guidelines and checklists to address this layer’s requirements.

Technology

Enterprises build and acquire solutions to accomplish their business goals and processes. Recently the trend is shifting towards procuring commercial, off-the-shelf products (COTS)22. Many federal regulations, including FISMA, strongly recommend that agencies consider purchasing pre-made integrated software for regulatory compliance from large software vendors.

Security metrics are essentially the processes and tools for facilitating upper management in decision making about performance, accountability and reporting processes associated with the security program. An effective security metrics program in an enterprise provides useful data for allocation of resources. A structured existence of the program in a top-down approach is a prerequisite for any metrics program. An NIST10 (800-55) guide entitled Security Metrics Guide for Information Technology Systems discusses the components of an organizational metrics program and the means to accomplish it. The information gathered from various layers is used as input to the metric program and, in turn, provides input for upper management to translate investments into a comprehendible return.

Framework and security model based approach

Recently, the Business Software Alliance23 observed that a top-down approach would be ineffective unless there was a “governance framework” in place in the upper layers that defined roles and delegated responsibilities within the management structure. FISMA also strongly emphasized the importance of team members knowing where responsibilities lay.

Such a framework can accelerate progress and increase management’s accountability, as discussed in PricewaterhouseCoopers’24 paper titled Excellence in Security. The Information Systems Audit and Control Association12 published its collection of documents concerning governance and control objectives as an online resource dubbed “CoBIT”12.

Conclusion

Companies small and large all have to lay out a clear roadmap and coherent infrastructure for their security needs. Following due diligence not only can sustain a business and protect it, it can also prepare the enterprise for future compliance needs. Treat security more as a governance issue than a technology issue.

References

1. http://cybercrimes.net/Terrorism/terrorism.html

2. www.spammingbureau.com

3. www.consumer.gov/idtheft/

4. IT Security Technologies Can Address Regulatory

Compliance by Gartner Inc. (Feb, 2004)

5. http://secinf.net/disaster_recovery

6. The Definitive Guide to Identity Management

from Rainbow Technologies Inc.

7. HIPAA Privacy, Security and Legal

Implications at www.rx2000.org

8. www.cert.org

9. www.iso-17799.com

10. www.nist.gov

11. FISMA resource at www.chips.navy.mil

12. http://isaca.org

13. www.sarbanes-oxley.com

14. www.hhs.gov/ocr/hipaa

15. www.ftc.gov/privacy/glbact/glb-faq.htm

16. www.fda.gov/ora/compliance_ref/part11/

17. www.epic.org/privacy/terrorism/hr3162.html

18. www.ferc.gov/legal/ferc-regs.asp

19. www.bis.org

20. www.iso-standards-international.com/

21. The standard of good practice for Information

Security, www.securityforum.org

22. www.sei.cmu.edu/cbs/

23. Information Security Governance: Toward a

Framework for Action at www.bsa.org

24. Excellence in Security at www.pwc.com

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+