Information security incidents have significant repercussions for any enterprise in terms of identity theft, data theft, regulatory fines, loss of customer confidence and in some cases jail terms. Upen Sachdev and Charles Adams of Allied Digital Services cover the different regulatory requirements that enforce information security, the different governance options available to enterprises with a particular look at the cloud and the need for continuous security monitoring.
Companies have an intrinsic need to protect their data, their resources, their assets and ongoing operations with the help of information technology (IT) and non-IT controls. In some cases, the law requires that companies protect their data and failure to do so is a legal offense which can result in significant legal repercussions. Some of these regulations are SB1386, Sarbanes-Oxley (SOX), Health Insurance and Portability Accountability Act (HIPAA), Gramm-Leach-Bliley (GLBA), North American Electric Reliability Corporation (NERC), Federal Information Security Management Act (FISMA) Implementation Project and many more.
What Can Organizations Do?
IT security is concerned with the management of all aspects of IT operations in order to comply with internal company policies, management directives and regulatory requirements. Preventive, detective and corrective controls are subsets of IT governance frameworks and standards. Instead of implementing them piecemeal, which would make the administration and enforcement of these controls extremely difficult, an integrated approach using established industry standards is recommended.
Multiple IT frameworks and standards exist that help enterprises manage the different aspects of their operations with the core focal points being: information security, IT service delivery, IT operations and risk management across all these segments. The most popular IT frameworks are COBIT and ISO 27001.
The scope of implementation should be determined using a “top-down approach” as advocated by Public Company Accounting Oversight Board (PCAOB) in Auditing Standard No. 5. Although this approach is from an audit perspective, it would help allocate resources and funds according to the areas that are high risk.
The cloud involves a virtualized environment where previously companies relied on multiple ‘physical boxes’ for their different systems. The emergence of cloud computing with its scalability and practicality ensures that security controls need to be designed around this solution. In addition, companies that have adopted cloud computing have already taken the first step to outsource their infrastructure. In such a business environment, it becomes imperative to continuously monitor the security status of their environment. (See also, 8 Questions You Need To Answer When Selling a Cloud Solution)
Outsourcing Information Security
This refers to the practice of separating the IT governance portion of a company’s business to a third party information security service provider. The benefits of this approach are:
• Leveraging the third parties economies of scale to get comprehensive IT coverage without having to expend huge amounts of capital.
• A move from an internal capital expense to an operational expense.
• No expensive assets need to be procured, implemented or maintained.
• No expensive resources need to be retained to manage and optimize security operations.
• Allows companies to focus on core competencies.
Continuous Security Monitoring
Security monitoring is a component of information security compliance that is common across all industry sectors and regulatory requirements. This type of monitoring involves gathering audit logs, normalizing them, analyzing them, defining thresholds, measuring security events against those thresholds and reporting against the identified security incidents to the relevant stakeholders. (For more on mobile security, see, Mobile Device Security: Inside Mobile Malware Threats)
In order to perform this function in-house, an organization would need a team of resources, hardware and software tools that would perform this task on an ongoing basis – a significant capital expense for even large enterprises let alone small to mid-size enterprises.
Another approach is to engage a managed security service provider (MSSP). That approach lets organizations further their investments, as MSSPs have the necessary certifications that set them apart from the competition. Similarly certified security operating centers are significantly more expensive when set-up in an isolated environment whereas MSSPs can leverage economies of scale.
• ISO 27001:2005, ISO 9001:2008, ISO 20000, ISO 14001 Certified Data Centers.
• More resources available for 24x7x365 day coverage including national and international holidays.
• Large enterprises with globally distributed offices may find this option more attractive as they already may have regional presence and experience.
• Smaller-mid size enterprises however need this option more than their larger counterparts considering that they need low overheads in order to grow.
• This is an ideal solution for organizations that want a cost effective but reliable and scalable solution.
There are multiple solutions to prevent security incidents. The operations staff needs to develop business cases to convince their management of the best framework that suits their environment. The project implementation plan must factor in any plans of outsourcing while considering that information security is an ongoing operational process and cannot be treated as a one-off project.