A Security Assessment Methodology

Security remains the leading concern that senior executives have about their information and network infrastructures. In many cases, it isn't clear whether the range of security technology in use affords the protections that the organization requires.

Even more disconcerting, many security solutions seem to disrupt normal operations. Employees see slow or blocked access to e-mail, critical applications and other internal resources. And virtual private networks (VPNs), firewalls and e-mail gateways confound interactions with customers, vendors and business partners.

More and more, executives ask: "Do we really need all this security? How do we know where we really stand? Can somebody give me a gauge that lets me know how we're doing with respect to our peers? What's the priority for security in our organization?"

Getting Answers

Traditionally, organizations have taken two approaches to answering these questions:

  • They have assigned an internal committee (often a committee of one) to evaluate the organization's security measures and requirements and to report back to senior management.

  • They have hired an outside organization, such as the corporate auditor, to conduct the study and deliver a formal report.

Creating an internal committee is attractive because it keeps problems "inside the family." Very often, more than one skeleton lurks in the closet, so the smaller the community of people aware of private issues the better. However, the committee has several uphill battles to fight.

First, it may not have the in-depth expertise to evaluate security measures. As a result, it can never assure its members, or management, that it has addressed all the important criteria. Second, the members' other duties make it difficult for them to complete the study in a timely manner unless they neglect other critical business imperatives. Finally, because the committee members are part of the organization, they can never achieve true objectivity; friendships and office politics may prevent an impartial result.

Thus, hiring an outside organization is the approach often taken by larger companies. Originally, when information technology was less mature than it is today, there were few places to turn for this help. Most obvious was the corporate financial auditing firm. The "Big 5" (or their predecessors) tried to develop specialties in information security. A few technology companies, most notably system and network integrators, also began offering such services. In both cases, however, these organizations perform security assessments as a sideline. They remain most capable in their core competencies: business consulting or technology sales and service, respectively.

More recently, a new option has developed: specialty security firms that have built dedicated teams of highly skilled experts in the technologies and processes of security. Increasingly, this industry segment is becoming the obvious choice for getting answers to security questions.

Cost Is Still a Factor

Retaining an outside organization for a security assessment costs real money. Most vendors quote prices starting in six figures for a "comprehensive" engagement. More importantly, they are often vague about what they will and won't include as part of the scope.

Unless they are truly huge, most companies probably haven't budgeted for such an expense. People seldom have security at the front of their minds when they carve up the limited funds at the beginning of a fiscal year.

Fig. 1

* Most auditing firms and integrators offer free "come-on" assessments to identify significant follow-on tasking.

An integrator may offer a free security review as an incentive for a large deployment contract. Big 5 auditors may bury the cost in an annual audit fee. Some security boutiques bill their penetration testing services as a complete solution.

In the final analysis, it is impossible to compare these costs with one another. All provide limited scope. In most cases, a free assessment is worth what you pay for it. Business audits rarely provide the detail necessary. (And since Big 5 partners do understand how to profitably price their projects, you are not getting a deal.) Penetration tests can only explore about a third of the technology issues of security and completely pass over processes and people.

Settling on a Standard for Completeness

Fortunately, various security-conscious standards organizations--such as the British Standards Institute (BSI), the International Standards Organization (ISO), the U.S. National Institute of Standards and Technology (NIST) and the International System Security Association (ISSA)--have undertaken the task of standardizing what we mean by security.

The first of these, BSI, developed BS 7799, which was adopted by ISO as ISO 17799. This standard creates a veritable laundry list of security criteria, laying the foundation for a comprehensive assessment of any organization. Other standards have emerged from these and other organizations, but BS 7799 (ISO 17799) has become the most widely accepted and recognized.

Fig. 2

Because so many security standards exist, it is often difficult to determine which best applies to an organization. Generic standards offer the most comprehensive view, but they often require security measures that are inappropriate in one industry or another. They fail to take into account the context.

For example, the concept of intellectual capital is relatively unimportant in newspaper publishing, since news is printed within hours of its acquisition. A law firm, on the other hand, must keep close wraps on the information it uses, to protect the privacy of its customers. And a biotech firm must protect its trade secrets.

The best assessments adapt standards to the type of organization they evaluate. This is sometimes possible by using industry-specific standards, but these documents frequently do not cover the same breadth of issues as the generic standards. More importantly, few industries have actually adopted standards, although the number is steadily growing. To ensure agreement with industry practice, the auditor should possess industry benchmark data on security practices for a wide variety of market segments.

Making It Relevant

Unfortunately, the nature of standards documents often makes them rather difficult to comprehend as a whole. Experienced security experts can traverse the list of criteria, but the assessment customer usually lacks the training and experience to make the standard relevant to its business situation. Just as a shopping list doesn't guide you through the grocery store, the security standard doesn't guide its application and interpretation.

What is needed is a map that makes it easy to interpret the assessment findings in the context of the organization. Serving as a model of the organization, the map routes readers through the results. Making the findings relevant greatly enhances their value to the customer.

The most obvious way to model an organization is to partition it into risk domains. For many e-business applications, three major risk domains will suffice: operational infrastructure, exogenous factors and protective boundary.

  • The operational infrastructure includes the systems and information vital to the organization's ongoing business. These are usually the "crown jewels" that require the highest level of protection. Most often, this domain contains compartments (subdomains). For example, most companies have human resources records, financial data, executive information systems and intellectual capital that must be kept safe from outsiders. Moreover, these subdomains must not intermix. As a result, issues of employee privacy, insider trading, and tactical and competitive advantage dictate that the business apply the appropriate best practices to securing the operational infrastructure.

  • Exogenous factors reflect the environment in which the organization must operate. They include customers, partners, vendors and regulatory agencies. They also include hackers and other nefarious individuals or groups that would do harm if given a chance.

  • The protective boundary enforces the division of the first two domains. It keeps in that which must stay in, and keeps out that which must stay out. When appropriate, however, the protective boundary should enable free exchange of services and data.

Within the risk domains are enablers, which act to secure the domain. Conventionally, security experts divide enablers into technology, processes and people. Most organizations pay careful attention to the first of these, using firewalls, access control mechanisms, authentication servers, virus scanners, intrusion detection systems and a plethora of other devices and software.

However, technology enablers are ineffective without careful attention to the people and processes that operate and maintain them. Moreover, technology can be cost-prohibitive to apply across the board. In some cases, no mechanism exists to fill a particular void. This is where processes and people become even more important.

Putting the risk domains together with the enablers leads to a simple, 3-by-3 matrix that is easy to comprehend. It permits assessment consultants to present their findings to customers in a way they can understand, framing the security criteria in the context of the business.

Fig. 3

While standardizing the criteria (and doing so comprehensively) is necessary, it is not sufficient to guarantee a quality assessment. The critical objective of any assessment is to determine the most cost-effective manner to reduce residual risk to an acceptable level. Failure to meet this objective renders the project's output worthless.

Risk comprises two components: impact and likelihood. For example, penetration testing can gauge an Internet connection's likelihood of breach. However, even if the testing reveals major vulnerabilities, it still provides no basis for determining risk. That's possible only by understanding what, if any, impact such a breach would have on the organization. A low impact greatly reduces the risk that such vulnerability poses. Conversely, exposure of a sensitive data repository--customer credit card numbers, for example--represents a high-impact incident. Any known vulnerability affecting that repository leads to a high risk.

Cost is the other major factor that makes the results of a security assessment relevant. Executives need to prioritize risk remediation activities. Setting these priorities depends largely on the cost/benefit tradeoff. In this case, reducing risk is the benefit, so cost is the independent variable.

Cost, in turn, has its components. For example, the capital cost of security technology represents a real dollar value that anybody can understand. Similarly, the labor expense to implement and integrate the technology is easily measured. Ongoing maintenance, which is often overlooked, must factor into the equation, too.

Copyright © 2001, Vigilinx Digital Security Solutions

About Vigilinx

Vigilinx Digital Security Solutions offers a complete line of security products and services, including security intelligence, managed security services, knowledge products, security advisory consulting, integration services, investigation/forensics services and training. The company serves both midsize and Fortune 500 organizations and has industry practices devoted to vertical markets, including financial services, telecommunications, government, media and entertainment, and general services. For more information, visit the company online at www.vigilinx.com. For a copy of the complete "Security Assessment Methodology" white paper, refer to http://www.vigilinx.com/sam_request.html.

Related Links

Maximizing Your Security Investments

Making Security Management Manageable

An Old-Fashioned Solution to Reducing Fraud in e-Commerce

A Perspective on Authentication within e-Commerce

Intrusion Detection: Reducing Network Security Risk