Browse any major newspaper, industry journal or security blog today, and it is evident that the number of significant data breaches-from credit card information to health records-is rapidly increasing. Organizations must improve their information assurance capabilities, but the gap between recognizing the problem and developing a solution to address it can be daunting.
Many organizations respond by throwing more technology and personnel at the problem. While this can help, the true answer lies in ensuring that the three core IT teams responsible for information assurance-network operations, security and risk operations and audit/compliance-have the necessary independence to identify, evaluate and implement the right solutions to reduce risk to the organization.
In the most traditional model of information assurance, which is implemented in many organizations today, network and security operations are tethered together. Similarly, audit (which frequently includes compliance management) is also often placed within the IT governance model under the auspices of being an independent entity, despite still being under the same reporting umbrella as the organization they are supposed to audit. Unfortunately, in today's IT environment, an estimated 70% of all security breaches resulting in over $100K in losses come from inside the organization. These challenges prevent each IT team from performing their jobs independently, effectively and efficiently.
Independence: The Business Case
As Juvenal's famous quote indicates, the concern over too much concentrated control (in his case, by the Roman government) left the distinct impression on the populace that they needed assurances to keep those with power in check. In today's world of technology, the problem remains essentially the same: who will watch over IT teams to ensure that they make the right decisions? The answer, too, is similar: they must watch themselves.
In technology, as in politics, the concept of separation of duty is used to enforce independence across different groups that support the same business goal while providing a valuable system of checks and balances to ensure that each group operates with some degree of peer oversight. In the case of IT, the network, security and audit teams are most effective when controls are established to ensure that each group functions independently, yet still works collaboratively to support the business.
The idea of keeping IT network, security and audit groups independent from each other is not a new concept; in the past decade, a range of federal regulations, best practices and IT security management frameworks (including Sarbanes-Oxley, NIST 800-53, ISO 17799/27002 and COBIT, among others) have been established that either explicitly state or imply the need to keep certain technology-related groups separate to reduce the likelihood of conflicts of interest, inappropriate collusion and even fraud.
Often, this separation is automated at a granular level within IT systems. Role-based access controls, for example, are often used to differentiate persons who have access to different parts of critical systems, such as enterprise resource planning or customer relationship management. Operationally, however, separation of duty also makes sense within IT governance, as a means of ensuring real independence among those groups responsible for information assurance-for example, separating development and production environments for software developers and database administrators.
In the realm of information assurance, a similar compartmentalization of roles leads to more independent and effective technology governance. The benefits of this independence are significant: each group has the authority to review and comment on the efforts of the other two, ensuring that planning efforts are reviewed with a critical eye. All three groups effectively become peers, sharing in the successes and failures of security and compliance equally; "turf wars" and finger-pointing are reduced when each group has clearly defined roles, boundaries and accountability. Meanwhile the overall efficiency of the organization is improved as the decision-making process becomes better documented and more socialized throughout the organization.
Common Roadblocks to Independence
While the benefits of independence for network, security and audit are obvious, implementing independence-and by definition, change-in an existing organization where these teams may already have overlapping reporting structures is not an easy task. Long-tenured political structures, fear of the loss of control and a "silo" or "stovepipe" mentality can make this type of change difficult.
And of course the strongest roadblock to implementing this kind of change is the inevitable flag that any good CFO will raise: "How much will it cost?" Specifically, in many IT organizations where network and security operations are co-mingled, network operations personnel work double-duty as security practitioners and, in some cases, as compliance auditors as well. In environments where personnel have overlapping responsibilities, implementing independence for network, security and audit means hiring additional personnel. While this may be the right way to run the business, it can present a real barrier to change when significant additional human capital costs are required.
Another issue that is often encountered relates to existing reporting and communication processes. Regardless of reporting structure and personnel, organizations may have existing processes, procedures and tools in place to evaluate information risk, implement changes to the environment, and address audit and compliance activities. In such cases, these tools may be tightly integrated into an existing team structure. By changing the reporting structure of network, security and audit, and potentially adding personnel, extending these tools and processes to new groups may present logistical and technical challenges.
Fortunately, there are many benefits that can help circumvent these roadblocks. One of the most effective ways to counter a challenge to reorganization is to clearly state the need based on risk and compliance requirements. An analysis of the potential threats and consequences of a realized risk, such as an insider data breach, can provide strong motivation for any rational CEO or board of directors to consider separating IT network, security and audit. The thought of being "the next big data breach" makes most C-level executives understandably edgy.
Separating these teams also allows the organization to enforce a "need-to-know" policy to mitigate potential internal risks, such as insider threats and fraud. As mentioned earlier, many information assurance frameworks and best practices recommend separation of duty between network and security operations. By tying specific separation of duty statements to your argument-along with potential sanctions for non-compliance if applicable-a powerful case can be made.
Addressing the financial concerns of implementing independence for information assurance teams can be tricky. The direct costs of the effort, such as adding new personnel and tools, are easy to estimate and visualize, while the perceived long-term cost benefits can be more difficult to justify. One of the most important factors to justify required organizational change is return on investment (ROI). While a rational ROI can often be difficult to calculate, one of the key factors that weighs in favor of independence is the improved specialization (and efficiency) that will result.
For instance, when security resources are no longer pulling double-duty for network operations, they are able to spend much more time improving security engineering skills. Another ROI factor is improved oversight: when network, security and audit are free to collaborate and review each others' work-and challenge it, when appropriate-potential problems may be discovered earlier and, therefore, addressed earlier to reduce overall cost.
An additional argument in support of independence for network, security and audit is the increasing availability of software tools that allow different teams to view the same information in unique ways. Today, many IT governance, risk and compliance (GRC) solutions provide this ability by offering a single interface for network operations (such as asset management, configuration management, capacity planning and performance reporting), security operations (such as event logging, alerting, forensics and risk management) and audit (by mapping IT operations and security data to specific compliance criteria, and providing a test framework for validation).
By working from the same interface, the organization can enforce consistent measurement, reporting metrics and collaboration across all three teams, while also providing a platform to consolidate disparate tools across the enterprise.
Key Considerations
While implementing the right governance structure for information assurance is important, it is also critical for organizations to implement that structure in the right way. Although pitfalls abound, there are a number of proactive measures that can be taken to dramatically improve the process:
Establish an appropriate reporting structure. So what should an information assurance team look like? The changes may not be as extreme as one might think. From a reporting perspective, the benefits to having information security as a peer of network operations in the same top-level organization outweigh the logistical problems of keeping them completely separate. Security operations personnel function as advisors and enforcers of risk-based decisions, and consequently, they should be an active part of the overall IT organization-provided they have an independent reporting path from network operations.
Audit, however, is another story. By its very nature, an audit team that operates in a holistic manner works with a broader spectrum of groups than just IT, and must be in constant communication with human resources, finance and other groups. For this reason alone, audit should be in a separate organization. The rationale for complete separation goes even further, however. When audit is part of the IT group, it can give the appearance that undue influence could be applied. The simple appearance of this influence can potentially taint the efforts of security and compliance auditing, and can lead to finger-pointing in the event that a significant risk manifests itself in the future.
Clearly define roles and responsibilities. By establishing unambiguous boundaries between network, security and audit, a solid separation of duty is defined, and each team is provided with clear marching orders regarding their role in the process of information assurance.
Integrate information assurance into the change management process. Change management is the foundation of a historical record within IT, and a key control mechanism for information assurance. The change management process should include not only technical changes to the environment, but the maturation of information assurance activities as well. An effective change management solution for information assurance ties together configuration, asset management, security policies, standards, procedures and compliance criteria into a workflow-based system.
Unify common language, metrics and tools. There are, of course, risks associated with providing independence to network, security and audit teams. When no longer tied closely together, the common language, metrics and tools used by these groups is at risk of changing over time. For example, while the network operations team may continue to maintain a traditional three-level low, medium and high risk categorization for threats, the security operations team may establish new, more granular risk categorizations. If these common terms and the metrics used to evaluate them are not discussed mutually, the possibility of implementing incorrect controls to address risks increases dramatically.
Similarly, software tools are likely to become more specialized when network, security and audit teams are more independent. Tools that aggregate real-time IT operational data with security assessment and risk data, and map both sets of data to specific compliance and audit criteria are valuable to any enterprise, but become even more important as the information assurance program matures.
Consider using frameworks. Building (or re-building) an information assurance governance model does not have to mean re-inventing the wheel. One of the most compelling ways to mitigate the risks of an information assurance model is by relying on the significant body of freely-available information designed specifically to help organizations structure and manage security, risk and audit management activities. From international governance standards established by the International Organization for Standardization (ISO), to detailed, end-to-end frameworks and best practices provided by the National Institute of Standards and Technology (NIST), comprehensive information detailing how to build a complete information assurance program is readily available.
Continuously review the information assurance model. Business changes over time, and so will an information assurance program. By continuously evaluating the efficiency, effectiveness and appropriateness of the governance model-and adjusting roles, responsibilities, process and tools accordingly-organizations can maintain the necessary flexibility to address the ever-changing risks to enterprise information.
With the right governance structure in place-using a model that allows network operations, security and audit teams to operate independently, but work collaboratively-organizations can build a more effective information assurance program to better safeguard against the many risks to critical business information that exist in today's world.
John Linkous is the governance, risk and compliance evangelist at eIQnetworks, Inc. where he works directly with customers and industry peers to set the company's solution strategy. He has more than 15 years of technology management and consulting experience, specializing in enterprise systems management, information security and regulatory compliance.
