Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
22 June 2013
Abstract: This document will propose a candid straightforward approach for developing a successful and sustainable enterprise corporate security program for non-profit organizations in the US Central region. The strategy will reflect alignment between organizational information or corporate security office and the executive leaderships business goals and objectives, resulting in a clear risk -based security investment process
5 Budget..................................................................................................................... 16
5.1 5.2 Overview ........................................................................................................................................ 16 Labor Cost ...................................................................................................................................... 16
6 References.............................................................................................................. 19
Page 2 of 20
Table of Figures
Figure 1-1 Security Cross Matrix Aligned with ITIL Version 3 (SABSA, 2013) .......................................... 2 Figure 2-1 Information Security Baseline Metrics Framework ................................................................... 4 Figure 3-1 Evolutionary Process Improvement Roadmap ........................................................................... 7 Figure 4-1 Security Functional Organization Chart. Dotted lines represent communication only ............. 9 Figure 5-1 US Central and Mountain Regional Security Salaries for 2012 ............................................. 17 Figure 5-2 Adjusted 2012 Security Salaries for Iowa Region .................................................................. 18
List of Tables
Table 2-2 Example of Security Metrics Aligned with Overarching Business Drivers ................................. 5
Introduction
This document will propose a candid straightforward approach for developing a successful and sustainable enterprise corporate security program for non-profit organizations in the US Central region. The strategy will reflect alignment between organizational information or corporate security office and the executive leaderships business goals and objectives, resulting in a clear risk-based security investment process (Gartner, 2005). Ultimately, the strategy will demonstrate security for the sake of business as opposed to security for the sake of security. The approach is based on respective industry standards, best practices, and proven strategies. This enables an organization to customize security processes, while maintaining a solid foundation for the security program.
1.1
Although most businesses have some form of risk-based investment strategies to keep their doors open, many have no formal risk-based security management program in place. As a result, the impacts realized may include: Abstract implementation suggestions that lead to inefficient risk mitigation strategies (Baker et al., 2007) Subjective threat probability determination instead of objective evaluation (Frosdick, 1997; Bandyopadhyay and Mykytyn, 1999; Baker et al., 2007) Unquantifiable security investments directly impacting expected return-effectiveness (Ittner and Larcker, 2003; Smith and Spafford, 2004) No viable executive leadership decision support needed to identify appropriate security solution cost benefits (Fenz, et al, 2011)
Consequently, the fundamental-level impacts from having a fragmented security infrastructure include failed security audits, uncontrolled business processes, and no valid accountability for business process owners.
1.2
In keeping with industry standards and best practices, the proposed security governance framework will deliver results along ve strategic dimensions: 1. Security strategies aligned with business objectives and consistent with applicable laws and regulations to reduce cost and increase the effectiveness of compliance 2. Security risks identified and managed to achieve business objectives to yield strategic cost savings by addressing security from a comprehensive perspective 3. Security program management design, development, and management will implement the security governance framework by utilizing a comprehensive set of managerial tools (e.g., metrics) and disciplines (e.g., risk management), along with a customizable means of communicating, to executive colleagues and other stakeholders, the value, status and impact of security
Page 1 of 20
4. Security leadership will oversee and direct activities to execute the security program transformation from asset guardian to strategic business enabler for effective change that will benefit over the long term 5. Response team protocols will support the capability to respond to and recover from disruptive and destructive security events
Figure 1-1 Security Cross Matrix Aligned with ITIL Version 3 (SABSA, 2013)
This approach will enhance the ability to establish customized enterprise-wide security solutions as a dynamic continuous process, while maintaining a solid foundation of best practices necessary to meet the legal and business requirements of the business stakeholders.
Page 2 of 20
The Security Office will leverage governance mechanisms to ensure that proactive security and risk control practices are directly in line with business objectives (Howe & Olsen, 2009). The approach will be successful by having the business process owners to take ownership of a relatively small number of risk management profiles respective to their operations. This will result in a positive security convergence developing a managed business process solution to address enterprise operation risks and interdependencies (ASIS, 2010). Organizations can achieve these critical goals as follows: Risk Management as an Investment Strategy Agile Security for the Sake of Business Clear Communications to Bridge Operations and Technology Individual Accountability
2.1
The traditional approach to driving a one size fits all level of protection cannot be simultaneously effective and economically viable for the Security business unit. Instead, it is important to leverage risk management as an investment strategy. Using business continuity-based risk assessments will enable leadership to better understand where security capabilities in people, processes, and technologies reside across their respective enterprise, and what security needs to achieve for the organization in the future. This evolutionary tactic will facilitate greater budgetary controls for our security services to our internal clients while providing effective and efficient corporate protection over the long term. Ultimately, this will facilitate leadership to optimally account for process-based risk levels with the added cost benefit of prevention versus reaction to security issues. Further, security managements capability maturity will quickly evolvebeyond fundamentally integrated information security and physical securityas connected disciplines. For example, an enterprise portfolio management tool could be used to support the respective operational changes. Changing the assumptions and inputs to model annual plans and what if scenarios that could then help develop forward visibility into how, when, and in what combinations and sequences one can focus on new security capabilities. In this regard, the software tool can standardize analysis models and forecast impacts to the organization resulting from changes in the business or technology environments.
Page 3 of 20
2.2
Collectively, the organizational business objectives form the single most important driver of the security strategy. Basing the enterprise security policies and protocols on the organizational business needs, will demonstrate clear and continual support for the business strategic goals and objectives, enabling security leadership to better defend their respective security plans and the budgets they require (Martin et al, 2011). This goal can be achieved by leveraging process improvement methodologies, metrics, and key performance measures to meet the organizations bottom line requirements and enable real assessment of the security protocols and processes effectiveness and value.
Business Value
People Process Infrastructure Technology Compliance
The users of security evidence include system and software developers, operational system managers, risk managers and the executive and organizational leadership. Decision support, monitoring and prediction assessments benefit from security metrics: Strategic Support: Security assessments can aid different kinds of decision making (e.g., program planning, resource allocation) Quality Assurance: Audits can be used to eliminate vulnerabilities, measure adherence to standards (e.g., ISO), identify, track, and analyze security flaws Tactical and Operational Oversight: Monitoring & reporting of the security posture can determine compliance with the security requirements (e.g., policy, procedures and regulations), gauge the effectiveness of security controls and manage risk, provide a basis for trend analysis, and identify specific for improvement Establish a Baseline for Monitoring & Improvement: An organization that understands its security posture, likely understands its level of security risk Assess the Effectiveness of Controls & Gaps Thereof: How well are implemented controls working? What are the gaps? What are the risks associated with the gaps? Help With Decision Making: What are real and potential shortcomings? How closely are objectives being met? Is there a needed change of direction? Risk Identification: What assets need protection? What is their value? What threats and vulnerabilities exist to the assets? What chances for exploitation exist? What is the likely impact? Risk Management: Risk assessment (i.e., extent of exposure to threats), controls (i.e., what countermeasure to identified risks), and control assessment (i.e., how effective are those controls?) Identify Priorities: resource deployment based on risk level to assets.
Equally, it must be understood that strategy development is not an annual exercise. It is a continuous process that must evolve as the needs of the business change. To ensure the strategy supports change,
Page 4 of 20
this information and analysis will need to be translated into an actionable, repeatable, and reportable strategy that identies the business case supporting project creation, project prioritization, and investment optimization while also generating a strategic implementation roadmap. The table below is a simplified example of how to align general security metrics with overarching business drivers.
BUSINESS DRIVERS SECURITY MEASURE OR METRIC Security cost as a percentage of total company revenue The number of safety hazards proactively identified and eliminated annually Percentage of critical information assets or functions residing on systems that are currently in compliance with approved system architecture The number of failed or ineffectual business unit responses to issues identified as control weaknesses that result from fraud prevention analysis, investigations or other feedback COST MGT. X X RISK MGT. ROI VALUE X X X X LEGAL REQ. POLICY REQ. LIFE SAFETY INTERNAL INFLUENCE
Table 2-1 Example of Security Metrics Aligned with Overarching Business Drivers
2.3
Engagement
Awareness
Intelligence
Page 5 of 20
2.4
Individual Accountability
It is hard to overstate the importance of effective security awareness and communication. The challenge is to gain buy-in at every level of our organization to understand how security supports and impacts organizational processes, assets, efciency, and our operating objectives. Communication about security is not just an administrative function. Rather it is an integral component of how to provide tangible value to customers, employees, and stakeholders. Driving security policies, by using risk-based terminology with business acumen, will ensure process owners keep and maintain their respective risk mitigation strategies for the enterprise organization. Taking the perspective of having internal clients with respect to Security (or other processes) will yield internal market forces that will help align risks with benefits holding individual business managers accountable for any failures in security or continuity. For example, methodologies used for efficiency, response, and recovery also enable the development of crisp reporting capabilities that support roll-up activity summaries. These processes will allow security leadership to screen, drill down, or manipulate views into the security strategy to better support the teams ability to customize communications for different security information audiences.
Page 6 of 20
Time is a precious commodity. Defining organizational parameters that conform to control frameworks such as COBiT and ASIS or standards such as ISO 17799 and COSO are not sufcient by themselves. They can help describe what information security must achieve, but they do not explain how security capabilities contribute value to the organization (Molinari, 2010). Leveraging an integrated process approach to construct the security governance framework will ensure goals are achieved the right way the first time. Delving deeper, as an integral part of enterprise governance, security leadership, organizational structure, and processes will endure and extend the organization's strategies and objectives (Molinari, 2008). However, it is critical that efforts be an evolutionary approach, to build sustainability into the governance procedures and processes. This will help to gain cultural and formal buy-in from both individual team members and senior executive leadership respectively. To ensure the success of transitioning the security strategy into a working project roadmap, the improvement process illustrated below should be followed:
Identify Needs
Raise awareness and obtain management commitment Define scope Define risks Define resources and deliverables Plan the Program
Envision Solution
Assess actual performance Define target for improvement Analyze gaps and identify improvements
Plan Solution
Define the supporting projects Develop improvement plan
Implement Solution
Implement improvements Monitor implementation performance Review the Programs effectiveness
Operationalize Solution
Build sustainability Identify new governance requirements
1. The security plan solution components will be actionable at multiple levels: (a) Project roadmap (b) Dynamic communication framework and (c) Structured security management framework
Page 7 of 20
2. The security strategy will be prepared in business, rather than technical terms. The content of the strategy will be communicated in a straightforward manner that non-technical executives will nd easy to understand. It is crucial to understand that business relevance and insightinto what is required to move the security organization aheadmatter far more than technical detail. 3. Incorporating input from group and individual knowledge assets will further help develop the strategy, via process identification and risk assessment. When complete, the strategic assessment will include a written in-depth analysis of the current security posture, as well as a recommended implementation roadmap. Depending on the scope of the respective initiative, the strategy should then be used to identify and focus resources to best align security with key business and regulatory compliance objectives. Equally important, ensure the analysis information can be re-purposed for other efforts such as validating existing and future funding levels. The objective is to gain short-term wins with long-term benefits. This can be achieved by having proactive security organization instead of a reactionary security organization. Proactive security requires early identication of the business and technical requirements that can give the security organization the necessary edge to be exible and adaptable enough to provide holistic services, meeting both immediate need and providing structure for future growth. Whereas, reactive security provides no scope for growth or adaptation and will amount only to expensive reghting.
Page 8 of 20
Application security
Test Security
Figure 4-1 Security Functional Organization Chart. Dotted lines represent communication only
Page 9 of 20
4.1 4.1.1
Sample Roles, Responsibilities, and Minimum Qualifications Top Security Executive: Chief Security Officer
4.1.2
Page 10 of 20
financial loss to the organization. Identifies significant security risks, designs and implements strategies and programs to prevent and reduce loss of the organizations assets. Establishes appropriate standards and risk controls associated with intellectual property within the operating unit. Directs, coordinates and implements site security, operations and activities to ensure the protection of executives, managers, employees, physical and information assets, while ensuring optimal use of personnel and equipment. Develops and delivers preventative programs and services to protect against criminal financial loss, counterfeiting, crime against persons, sabotage, threats, emergencies, illegal acts, and property or environmental crimes. Researches and deploys state-of-the-art technology solutions and innovative security management techniques to safeguard the operating units assets. Directs the approach, deployment and execution of investigations, and directs team based systems development efforts. Develops and manages the capital and expense budget for the units worldwide security operations. Develops close relationships with high-level law enforcement and international counterparts to include incountry security and International Security agencies, intelligence and private sector counterparts worldwide. Briefs executive management on status of security issues. Develops a consensus position within an organization climate of diverse operational activities and oftenconflicting regulations imposed by agencies with regulatory jurisdiction. Provides leadership direction to the management and professional staff within the organization unit.
4.1.3
Develops, maintains and audits the analytical and technical aspects of major computer security subsystems. Maintains the integrity of computer workstations, servers, local area networks, upgrading systems and software for the company. Responsible for selecting, testing and the secure installation and operation of cryptographic equipment, secure transmission of classified information and sensitive unclassified information and protection of cryptographic principles and methods. Responsible for identifying and mitigating threats and vulnerabilities associated with compromising electromagnetic emanations from equipment used to process classified information. Develops and provides technical support, training and timely computer system data recovery to end-users. Directs the investigation of computer security incidents, and develops facility protection plans. Directs complex surveillance of computer protection measures, and creates measurement tools for system vulnerability assessments. Keeps senior management informed on major accomplishments, issues and concerns. Develops, trains and directs computer and information security personnel within the organization.
4.1.4
Page 12 of 20
Conducts technical evaluations of hardware, software and installed systems and networks. Conducts certification testing of installed systems to ensure protection strategies are properly implemented.
4.1.5
4.1.6
Page 13 of 20
Develops and implements policies, procedures, standards, training and methods for identifying and protecting information, personnel, property, facilities, operations, or material from unauthorized disclosure, misuse, theft, assault, vandalism, product tampering, espionage, sabotage, or loss. Reviews security project designs and contacts on-site progress assessments to insure design specifications meet the security needs. Performs security risk assessments based on vulnerability criteria to determine appropriate levels of protection and security necessary for the site. Recommends and coordinates the acquisition, installation or replacement of equipment designed to increase efficiency of security operations at facilities. Assists in the evaluation of state-of-the-art products and techniques related to computer hardware and software. Receives and evaluates all security related incidents and makes recommendations to preclude recurrence. Independently plans and conducts sensitive and complex security assessments and briefs senior management on the status of these investigations. Leads large-scale security inspections and risk assessments. Evaluates the latest products and techniques in communications and other technical equipment. Represents the organization in intra and inter-company committees. Provides leadership to less experienced Unit Managers and Unit personnel.
4.1.7
Page 14 of 20
policies and procedures. Receives and evaluates all security related incidents and makes recommendations to preclude recurrence. Based on incidents, trends and surveys, recommends corrective action. Prepares written or narrative reports of facility assessment findings. May act as lead person or technical expert on small to medium projects.
Page 15 of 20
5
5.1
Budget
Overview
Majority of large organizations ($100-$500M annual revenue)including not-for-profit and education institutionsspend approximately 7%-10% of IT budget and a range of 1.7% to 3.6% of operational budgets on security with expectations to increase expenditures in the following year (Controller, 2011; Security, 2011; Rose & Hayes, 2013). For example, if the annual revenues are approximately $300M, the conservative end of the data reflects an approximate annual budget of $5.1M (1.7% X $300M). If an organization is half-way through the 2013 fiscal yearand an iterative approach to building the security organization, the initial estimates should remain conservative to request $2.5M for start-up capital. The monies would be used to: Establish the security program Build the functional organization (facilities, personnel, equipment, and training) Launch enterprise security policies
This approach is supported by current cost data that reflects the following distribution of funds: Labor Costs (Staff and Consultants) 64% General Materials, supplies, and services (training, phones, computers, travel) 11% Equipment maintenance and service contracts 15% Security equipment / devices purchases 10% (Controller, 2011)
Once started, it will be important to continue using a design/methodology/approach to best determine an efficient and effective strategy for information security spending. This should start with a whole-systems view of the security spending decision that encompasses people, technology, and economics. This initial methodology will help identify a model that can be used in a practical manner to select a rational approach to estimate spending (Stewart, 2012). Once mature, the security budgeting process should then migrate to a well-established rational economic process used for budgeting capital investments applies cost benefit analysis using the net present value (NPV) model with an overarching intent to determine a return on information security investments (ROISI) (Gordon & Loeb, 2006; Gordon et al, 2008; Gartner, 2002).
5.2
Labor Cost
The table below depicts for the US Central and the eastern Mountain regional security-based salaries for 2012. West North-Central (e.g., Iowa) East North Central (e.g., Illinois) East South Central (e.g., Tennessee) West South Central (e.g., Texas) Mountain (e.g., Colorado)
Page 16 of 20
Does Not Include Executive Salaries Experience (Years) 1-9 10-19 20-29 Education Bachelors Masters Certifications None CISSP PCI CPP Environment Non-Profit Int'l Locations Average
50 55* 55*
97 120 135
55 60
122 135
200 225
50 75 60 60
60 75 68
Figure 5-1 US Central and Mountain Regional Security Salaries for 2012
Note the above numbers demonstrate a median increase of two percent up from 2011 (average 3.5%). Also note that the table does not include executive salaries due to extreme variations in payment structures (e.g., perquisites, long-term incentives). However, it is important to understand that economics in one state may vary from another, even if both are in the same region. For example, security personnel salary findings for the Iowa region reflect an average 17% lower than their neighboring regions: East North Central (e.g., Illinois) East South Central (e.g., Tennessee) West South Central (e.g., Texas) Mountain (e.g., Colorado) (ASIS, 2012)
Page 17 of 20
In keeping with the above example, the table below reflects the adjusted security salaries for the Iowa region.
42 46* 46*
81 100 112
10-19 20-29 Education Bachelors Masters Certifications None CISSP PCI CPP Environment Non-Profit Int'l Locations Average
46 50
101 112
166 187
42 62 50 50
90 115 96 108
50 62 56
Using the same approach for executive security officer salaries ranged from $336K to $367Kcompared to neighboring regions, using tools such as Salary.com and Glassdoor. Note these salaries exclude incentive payments (e.g., stock options), given is a non-profit private company.
Page 18 of 20
References
American Society for Industrial Security (ASIS). (2010). Convergence of Security Risks: Addressing the Security Dilemma in Todays Age of Blended Threats. Retrieved January 13, 2013 from http://www.asisonline.org/education/docs/SecurityRiskConvergence.pdf American Society for Industrial Security (ASIS). (2012). 2012 U.S. Salary Survey Salary Results. Security Management, November 2012, 56-60. Baker, W. and L. Wallace (2007) Is Information Security under Control? Investigating Qu ality in Information Security Management, IEEE Security and Privacy (5), Piscataway, NJ: IEEE Educational Activities Department, pp. 3644. Fenz, S., Ekelhart, A., & Neubauer, T. (2011). Information Security Risk Management: In Which Security Solutions Is It Worth Investing? Communications Of AIS, 28329-356. Frosdick, S. (1997) The Techniques of Risk Analysis Are Insufficient in Themselves, Disaster Prevention and Management (6), pp. 165177. Gartner. (2002). Winning Asset Management Strategies. Retrieved from www.gartner.com/research/attributes/attr_47450_115.pdf Gordon, L. A., & Loeb, M. P. (2006). Budgeting Process for Information Security Expenditures. Communications Of The ACM, 49(1), 121-125. Gordon, L. A., Loeb, M. P., Sohail, T., Tseng, C., & Zhou, L. (2008). Cybersecurity, Capital Allocations and Management Control Systems. European Accounting Review, 17(2), 215-241. doi:10.1080/09638180701819972. Herath, H. B., & Herath, T. C. (2008). Investments in Information Security: A Real Options Perspective with Bayesian Postaudit. Journal Of Management Information Systems, 25(3), 337-375. Howe, J. S., & Olsen, B. C. (2009). Security Choice and Corporate Governance. European Financial Management, 15(4), 814-843. doi:10.1111/j.1468-036X.2009.00510.x Ittner, C.D. and D.F. Larcker (2003). Coming Up Short on Nonfinancial Performance Measurement, Harvard Business Review (81), Philadelphia, PA: Wharton School, University of Pennsylvania, http://view.ncbi.nlm.nih.gov/pubmed/14619154 (current Jan. 30, 2011). Martin, C., Bulkan, A., & Klempt, P. (2011). Security excellence from a total quality management approach. Total Quality Management & Business Excellence, 22(3), 345-371. doi:10.1080/14783363.2010.545556 Molinari, S. (2008). Bridging the Gap Between Enterprise Business and IT. Retrieved from http://www.scribd.com/doc/45833126/20080326-SMolinari-Bridging-the-Gap-Between-EnterpriseBusiness-and-IT Molinari, S. (2010). Don't Put All of Your Eggs In One Basket - The Use of Multiple Processes to Prevent Project Failure. Retrieved from http://www.scribd.com/doc/45832284/20100510-SMolinari-MTSThe-Use-of-Multiple-Processes-to-Prevent-Project-Failure
Page 19 of 20
SABSA. (2013). Sherwood Applied Business Security Architecture. Retrieved from http://www.sabsainstitute.com/members/sites/default/inlinefiles/SABSA%20Service%20Management%20Matrix%202009.jpg Swartz, N. (2005). Gartner: Security Is Strategic, Not Technical. Information Management Journal, 39(6), 14. Rose, A. & Hayes, N. (2013). Understand Security And Risk Budgeting For 2013 Benchmarks: The S&R Practice Playbook. Forrester 2013. Stewart, A. (2012). Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor. Information Management & Computer Security, 20(4), 312-326. doi:10.1108/09685221211267675. The Controller's Forum. (2011). Is Your Security Budget Big Enough for Today's Risks? Controller's Report, 2011(10), 3-5. What Security Executives Want And How They're Trying to Get It. (2011). Security Director's Report, 11(7), 1-11.
Page 20 of 20