How much security is enough?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.firstpost.com/business/much-security-enough-2369530.html


"Reasonable security" is not clearly defined in any regulation or set of
best practices, since its definition is subjective. Gartner research
director Rob McMillan explains why it is best to adopt a risk management —
not a compliance —approach to demonstrating due care.

Provision of adequate information security is a corporate and government
agency obligation. However, a standard to measure how, and if, this
obligation is adequately addressed remains elusive. The legal community has
been searching for a standard, as well as the associated qualitative and
quantitative (for example, spending) benchmarks, by which they can measure
(or litigate) whether a chief information officer (CIO) or chief
information security officer (CISO) is exercising due care. Gartner’s view
is that because of the technical and business complexities involved, no
legislation will adequately define due care in information security through
2020.

CIOs and CISOs often ask questions that can be roughly summarised as, "How
much security is enough?" In these situations, the people asking the
question are often trying to make a case that their security is adequate,
or alternatively, is based on either or both of the following:

•    A level of expenditure that matches or exceeds an industry average,
such as the figures reported in Gartner's annual IT Key Metrics Data.
However, there are many factors at play, such as variations in risk
appetite, whether you are paying way too much for your infrastructure or
whether you are paying your staff too little.
•    A maturity level expressed within the context of an information
security framework, such as Gartner's ITScore for Information Security. But
while there is a correlation between program maturity and security,
maturity alone does not tell you whether your security is adequate.

If a court, for example, assesses the adequacy of your security program,
then it is likely that some variation of a reasonable-steps test will be
applied, depending upon jurisdiction (that is, what a reasonable person
would do under the same or similar circumstances).

Such a test is used broadly, and it is possible several variations of it
may be applied in any one particular circumstance, depending upon the
regulation or case law that applies.

The problem for many practitioners is that the notion of what constitutes
"reasonable" steps is imprecise, highly dependent on circumstances and
changes over time.

Compliance to an industry standard or satisfactory third-party audits may
help mitigate consequences, but may not be a replacement for doing
everything that is reasonably needed to avoid damage to the organisation
or, indeed, to others.

The bottom line is there is no prescriptive document any organisation could
follow that will give complete assurance all reasonable steps have been
implemented, and that the standard of due care in a particular circumstance
has been met. Each organisation must evaluate its own particular
circumstances, and take into account a number of factors to make an
informed judgment about what is "enough."

Focus on managing risk, not compliance

Compliance with regulation is important, but CIOs and CISOs should
repudiate any argument that compliance alone is sufficient.

There are many reasons why laws do not attempt to specifically define
security due care.

Prescribing solutions for all cases, industries and organisation sizes is
impossible and technologies change rapidly.

Furthermore, most legislation is local or national, but many companies
operate internationally. International laws evolve even more slowly than
national laws, and different national laws that recommend specific
technical standards most likely vary by country.

Next, because the threat environment rapidly changes, any definition of
"good enough" is temporary.
Finally, different organisations have different risk affinities that relate
directly to their corporate cultures and business strategies.

Defining reasonable security in the absence of widely accepted standards is
difficult. Unfortunately, the marketplace offers a confusing array of
security-related standards. Some address industry-specific requirements or
regulatory requirements. Various government agencies, such as the U.S.
National Institute of Standards and Technology, produce security
configuration standards that are highly regarded and used widely in the
government sector and, sometimes, the commercial sector. There are
technical standards, such as Web services security, Secure Sockets Layer
and encryption standards, and emerging standards and guidelines for newer
technologies, such as cloud computing. Compounding the problem is that,
although official standards may exist, they may be implemented
inconsistently among vendors. Often, products use proprietary methods that
become de facto standards.

When it comes to information security practice standards, the International
Organisation for Standardisation (ISO) and the International
Electrotechnical Commission's (IEC's) ISO/IEC 27001:2013 provides guidance
on how to develop an information security management program, not just a
set of controls, that's tailored to particular circumstances. It is
complemented by ISO/IEC 27002:2013, which discussed the array of controls
that organisations may consider, ISO/IEC 27005:2011, which provides
guidance on risk management relating specifically to information security,
and ISO/IEC 31000:2009, which provides guidance on risk management more
generally. Earlier versions of these standards were the first steps in what
has become an almost globally accepted requirement to manage information
security as a risk discipline.

The key point to understand is that the guidance documents mentioned
earlier are just that — guidance. Following these documents may be
necessary, but not sufficient. Likewise, getting certification for the
standard may be necessary, but not sufficient.

A strong security program is based on effective management of the
organisation's security risks. A process to do this effectively is what
regulators and auditors look for.

How to assess your risks

Each organisation must comprehensively assess its risks for potential
damage to both the organisation itself and to third parties, and apply all
reasonable steps to reduce the risk to an acceptable level. Be specific,
and record your risk profile in some form of risk register. Failure to do
so may leave the officers responsible for the organisation exposed to
claims of negligence, particularly, following a serious security breach.

Any consideration of negligence typically follows a very clear structure
with distinct elements. While this is often the domain of legal counsel
with relevant expertise (and fodder for discussion in the media), IT and
risk executives must ensure they understand how an external party would
assess the efficacy of the organisation's controls in its security risks.
This general model gives rise to the following questions that are specific
to the information security discipline.

What is the harm that can result from security failure? Consider both the
potential damage (financial and otherwise) to your own organisation, and
also the potential damage to others, including your employees, contractors,
partners and others.

What is the likelihood of failure? As a general proposition, the growing
list of failures in systems suggests that the likelihood of security
failure in most environments is high. Ensure that you identify the
potential threats to your organisation, and model how those threats may act
and what the outcomes may be.

Is the failure a reasonably anticipated risk? Reasonable foreseeability
does not require that a reasonable person must know how an adverse outcome
may occur, only that the outcome is a possibility.

Does the cost of the remedy outweigh the impact of the risk? Organisations
must assess the affordability of security technologies, procedures and
techniques against perceived threats, in comparison with the value of the
assets under protection or the rewards being pursued. The expense of not
implementing adequate security can be the cost of mitigating a security
failure, such as cleaning up a viral outbreak, or revenue or productivity
loss because of unavailable systems or loss of consumer confidence. Fines
under various federal and state laws, as well as judgments in civil legal
actions, can result from insufficient security investments.

Gartner surveys have found that organisations generally spend 3% to 7% of
their IT budgets on information security. However, there may be good
reasons for spending more or less, and organisations should investigate
expenditures relative to their peers, as well as their own risk profiles,
to determine whether they are spending too little, too much or just enough.

Seek an independent assessment of reasonable steps from an auditor.
Auditors can help focus management attention on control weaknesses that may
have been neglected (for example, due to an erroneous assumption that they
are low priority) and, therefore, require resources and management mandate.
Separation of duties is a classic example of a control that is often an
exception or an accepted risk due to lack of resources.

Above all, recognise that a continually changing notion of what constitutes
reasonable demands regular reassessment. There will be changes in
technology, prevailing industry practice and public expectation. Track
changes relevant to your situation, recognizing that external expectations
may be imprecise and subjective, and will continually change over time.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!