United States General Accounting Office GAO Accounting and Information Management Division November 1997-v** Executive Guide N Information Security Management Learning From Leading Organizations Exposure Draft GAO/ALDM-98-21 0X600 Y3 /\5 cl toY6 Preface The dramatic increase in computer interconnectivity and the popularity of the Internet are offering government agencies, businesses, educational institutions, and others unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information. Many organizations are using their systems now to instantly provide information to, and communicate with, the communities they serve. At the same time, they are exploring innovative ways to expand their use of electronic data and telecommunications to take further advantage of the increasingly networked computer environment. However, the ultimate success of many of these efforts depends on an organization's ability to protect the integrity, privacy, and availability of the data and systems it relies on. As organizations increase their reliance on electronic information, they must have assurance that the information they use has not been inappropriately altered and that its confidentiality is appropriately protected. Further, the information must be readily available with few disruptions in the operation of supporting computer and telecommunications systems. Without these assurances, organizations expose themselves to risks from fraud, sabotage, and other malicious acts; user errors; natural disasters; and other events that may result in a loss of assets, disclosure of sensitive data, inability to carry out critical operations, or incidents leading to a loss of customer or taxpayer confidence. Deficiencies in federal information security are receiving increasing attention, in part due to our government's growing reliance on automated systems and electronic data. Audit reports are identifying serious information security deficiencies at a growing number of agencies, and, in February 1997, in a series of reports to the Congress, GAO designated information security as a new governmentwide high-risk area. Most recently, the President's Commission on Critical Infrastructure Protection described the potentially devastating implications of poor information security in its October 1997 report entitled Critical Foundations: Protecting America's Infrastructures. Although many factors contribute to information security deficiencies at federal agencies, GAO and inspector general audits have found that an underlying cause is that senior agency officials have not established a management framework for exploring and reducing the information security risks associated with their operations. To assist federal agencies in establishing such a framework, Senators Fred Thompson and John Glenn, Chairman and Ranking Minority Member, respectively, of the Senate GAO/AIMD-98-21 Information Security Management Page 1 Committee on Governmental Affairs, requested that we study organizations with reputations for having superior security programs to identify practices that could be adopted successfully by federal agencies. The results of this study are outlined in this exposure draft, which we expect to issue as an executive guide in early 1998. This guide is one of a series of GAO efforts intended to more specifically define the actions federal officials can take to better manage the information resources upon which our nation is increasingly reliant. Other guides developed by GAO are listed in appendix I. This guide was prepared under the direction of Jack Brock, Director, Information Resources Management-General Government Issues. You may submit comments before December 31, 1997, by phone, email, or regular mail to Jean Boltz at the following: Phone: (202) 512-5247 Email: email@example.com Mail: Jean Boltz, AIMD U.S. General Accounting Office Room 4T21 441 G Street, NW Washington, D.C. 20548 e L. Dodaro Assistant Comptroller General Accounting and Information Management Division Page 2 GAO/AIMD-98-21 Information Security Management Contents Federal Information Security Is A Growing Concern 5 Leading Organizations Apply Fundamental Risk 14 Management Principles Assess Risk and Determine Needs 20 Practice 1: Recognize Information Resources as Essential 21 Organizational Assets That Must Be Protected Practice 2: Develop Practical Risk Assessment Procedures That Link 23 Security to Business Needs Practice 3: Hold Program or Business Managers Accountable 26 Case Example: A Practical Method for Involving Business 27 Managers in Risk Assessment Practice 4: Manage Risk on a Continuing Basis 28 Getting Started-Assessing Risk and Determining Needs 30 Establish A Central Management Focal Point 31 Case Example: Transforming an Organization's Central 32 Security Focal Point Practice 5: Designate A Central Group to Carry Out Key Activities 33 Practice 6: Provide the Central Group Ready and Independent Access to 35 Senior Executives Practice 7: Designate Dedicated Funding and Staff 36 Practice 8: Enhance Staff Professionalism and Technical Skills 38 Getting Started-Establishing A Central Focal Point 41 Implement Appropriate Policies and Related Controls 42 Practice 9: Link Policies to Business Risks 43 Practice 10: Distinguish Between Policies and Guidelines 45 Practice 11: Support Policies Through the Central Security Group 47 Getting Started-Implementing Appropriate Policies and Related Controls 48 GAO/AIMD-98-21 Information Security Management Page 3 Promote Awareness 49 Practice 12: Continually Educate Users and Others on Risks 50 and Related Policies Practice 13: Use Attention-Getting and User-Friendly Techniques 51 Case Example: Coordinating Policy Development and 52 Awareness Activities Getting Started-Promoting Awareness 52 Monitor and Evaluate Policy and Control Effectiveness 53 Practice 14: Monitor Factors that Affect Risk and Indicate 54 Security Effectiveness Case Example: Developing an Incident Database 56 Practice 15: Use Results to Direct Future Efforts and Hold Managers 58 Accountable Case Example: Measuring Control Effectiveness and 59 Management Awareness Practice 16: Be Alert to New Monitoring Tools and Techniques 60 Getting Started-Monitoring and Evaluating Policy and Control Effectiveness 61 Conclusion 62 Appendix I - GAO Guides on Information Technology Management 63 Appendix II - NIST's Generally Accepted Principles and Practices 64 for Securing Information Technology Systems Appendix III - Major Contributors to This Executive Guide 65 GAO Reports and Testimonies on Information Security 66 Abbreviations CEO Chief Executive Officer CERT Computer Emergency Response Team CIO Chief Information Officer CISSP Certified Information Systems Security Professional GAO General Accounting Office NIST National Institute of Standards and Technology OMB Office of Management and Budget Page 4 GAO/AIMD-98-21 Information Security Management Federal Information Security Is A Growing Concern Electronic information and automated systems are essential to virtually all major federal operations. If agencies cannot protect the availability, integrity, and, in some cases, the confidentiality, of this information, their ability to carry out their missions will be severely impaired. However, despite the enormous dependence on electronic information and systems, audits continue to disclose serious information security weaknesses. As a result, billions of dollars in federal assets are at risk of loss, vast amounts of sensitive data are at risk of inappropriate disclosure, and critical computer-based operations are vulnerable to serious disruptions. Most senior federal executives, like many of their private sector counterparts, are just beginning to recognize the significance of these risks and to fully appreciate the importance of protecting their information resources. In some cases, this awareness has been prompted by disturbing break-ins and damage to agency systems that have illustrated the vulnerability of operations supported by these resources. Some of these events are pranks that result in little or no lasting damage, such as placing graffiti on agency Internet web pages. However, because controls and incident reporting procedures are weak, other losses or inappropriate disclosures of sensitive information could be occurring without detection, and the risk of significant losses is high. It is important that senior agency executives, chief information officers, and agency program managers recognize these risks and take steps to mitigate them. This guide is designed to promote senior executives' awareness of information security issues and to provide information they can use to establish a management framework for more effective information security programs. The opening segments describe the problem of weak information security at federal agencies, identify existing federal guidance, and describe the issue of information security management in the context of other information technology management issues. The remainder of the guide describes 16 practices, organized under 5 management principles, that GAO identified during a study of nonfederal organizations with reputations for having good information security programs. Each of these practices contains specific examples of the techniques used by these organizations to increase their security program's effectiveness. GAO/AIMD-98-21 Information Security Management Page 5 Potential Risks Are Significant Although they have relied on computers for years, federalagencies, like businesses and other organizations throughout the world, are experiencing an explosion in the use of electronic data and networked computer systems. As a result, agencies have become enormously dependent on these systems and data to support their operations. The Department of Defense, alone, has a vast information infrastructure that includes 2.1 million computers and over 10,000 networks that are used to exchange electronic messages, obtain data from remote computer sites, and maintain critical records. Civilian agencies also are increasingly reliant on automated, often interconnected, systems, including the Internet, to support their operations. For example, * law enforcement officials throughout the United States and Canada rely on the Federal Bureau of Investigation's National Crime Information Center computerized database for access to sensitive criminal justice records on individual offenders; * the Internal Revenue Service relies on computers to process and store hundreds of millions of confidential taxpayer records; * the Customs Service relies on automated systems to support its processing and inspection of hundreds of billions of dollars worth of goods imported into the United States; and * many federal agencies, such as the Social Security Administration, the Department of Agriculture, and the Department of Health and Human Services, rely on automated systems to manage and distribute hundreds of billions of dollars worth of payments to individuals and businesses, such as medicare, social security, and food stamp benefits. Although these advances promise to streamline federal operations and improve the delivery of federal services, they also expose these activities to greater risks. This is because automated systems and records are fast replacing manual procedures and paper documents, which in many cases are no longer available as "backup" if automated systems should fail. This risk is exacerbated because, when systems are interconnected to form networks or are accessible through public telecommunication systems, they are much more vulnerable to anonymous intrusions from remote locations. Additionally, much of the information maintained by federal agencies, although unclassified, is extremely sensitive, and many automated operations are attractive targets for individuals or organizations with malicious intentions, such as committing fraud for personal gain or sabotaging federal operations. Several agencies have experienced intrusions into their systems, and there are Page 6 GAO/AIMD-98-21 Information Security Management indications, such as tests at the Department of Defense, that the number of attacks is growing and that many attacks are not detected. Information Security Risks -.Threats : Attempts to Access Private . Sabotage Information Malicious Natural \\.Acts | Disaster User .Fraud \Pr-\ anksA' Error Systems Supporting Federal Operations eJ Taxpayer% i^ :, ^^. - ^ i ..; -.- \ . SJ Integntyof Confidence ~~~~~~~~~~~~~~~~~~FederlDt & Reports Dat s ,ve t S Services & Dataose Benef its Critcal icoe Interrupe Operations Haltedet 9 An ,; ~~~~~~~~~~~~~~Assets , Lost Potential Damage GAO/AIMD-98-21 Information Security Management Page 7 Weaknesses Abound, But Management Attention Has Been Lacking "Just as in the private sector, many federal agencies are reluctant to make the investments required in this area [of computer security] because of limited budgets, lack of direction and prioritization from senior officials, and general ignorance of the threat." - Statement of Gary R. Bachula, Acting Under Secretary for Technology, Department of Commerce, before House Science Subcommittee on Technology, June 19, 1997 Unfortunately, federal agencies are not adequately protecting their systems and data. In September 1996, we reported that audit reports and agency self- assessments issued during the previous 2 years showed that weak information security was a widespread problem.' Specifically, weaknesses such as poor controls over access to data and inadequate disaster recovery plans increased the risk of losses, inappropriate disclosures, and disruptions inmservice associated with the enormous amounts of electronically maintained information essential for delivering federal services and assessing the success of federal programs. Due to these previously reported weaknesses and findings resulting from our ongoing work, in February 1997, we designated information security as a new governmentwide high-risk issue.2 In our September 1996 report, we stated that an underlying cause of federal information security weaknesses was that agencies had not implemented information security programs that (1) established appropriate policies and controls and (2) routinely monitored their effectiveness. Despite repeated reports of serious problems, senior agency officials had not provided the management attention needed to ensure that their information security programs were effective. Also, in that report, we made a number of recommendations intended to improve the Office of Management and Budget's (OMB) oversight of agency information security practices and strengthen its leadership role in this area. Specifically, we recommended that OMB promote the federal Chief Information Officers Council's adoption of information security as one of its top priorities and encourage the council to develop a strategic plan for increasing awareness of the importance of information security, especially among senior agency executives, and improving information security program management lInformation Security: Opportunities for Improved OMB Oversight of Agency Practices (GAO/AIMD-96-1 10, September 24, 1996). 2 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997). Page 8 GAO/AIMD-98-21 Information Security Management governmentwide. Initiatives that we suggested for the CIO Council to consider incorporating in its strategic plan included (1) developing information on the existing security risks associated with nonclassified systems currently in use, (2) developing information on the risks associated with evolving practices, such as Internet use, (3) identifying best practices regarding information security programs so that they can be adopted by federal agencies, (4) establishing a program for reviewing the adequacy of individual agency information security programs using interagency teams of reviewers, (5) ensuring adequate review coverage of agency information security practices by considering the scope of various types of audits and reviews performed and acting to address any identified gaps in coverage, (6) developing or identifying training and certification programs that could be shared among agencies, and (7) identifying proven security tools and techniques. Although there is much that OMB can do in this area, we recognize that information security is primarily the responsibility of individual agencies. This is because agency managers are in the best position to assess the risks associated with their programs and to develop and implement appropriate policies and controls to mitigate these risks. Accordingly, in our reports over the last several years, we have made dozens of specific recommendations to individual agencies. Although many of these recommendations have been implemented, similar weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis. A list of our previous reports on information security is provided at the end of this guide. Requirements Are Outlined in Laws and Guidance The need for federal agencies to protect sensitive and critical, but unclassified, federal data has been recognized for years in various laws, including the Privacy Act of 1974, the Paperwork Reduction Act of 1995, and the Computer Security Act of 1987. Further, since enactment of the original Paperwork Reduction Act in 1980, OMB has been responsible for developing information security guidance and overseeing agency practices, and the Computer Security Act assigns the National Institute of Standards and Technology (NIST) primary responsibility for developing technical standards and providing related guidance. OMB, NIST, and agency responsibilities regarding information security were recently reemphasized in the Clinger-Cohen Act of 1996, formerly named the Information Technology Management Reform Act of 1996. GAO/AIMD-98-21 Information Security Management Page 9 The adequacy of controls over computerized data is also addressed indirectly by the Federal Managers' Financial Integrity Act of 1982 and the Chief Financial Officers Act of 1990. The Federal Managers' Financial Integrity Act requires agency managers to annually evaluate their internal control systems and report to the President and the Congress any material weaknesses that could lead to fraud, waste, and abuse in government operations. The Chief Financial Officers Act requires agencies to develop and maintain financial management systems that provide complete, reliable, consistent, and timely information. In addition, a considerable body of federal guidance on information security has been developed. OMB has provided guidance since 1985 in its Circular A- 130, Appendix III, "Security of Federal Automated Information Resources," which was updated in February 1996. Further, NIST has issued numerous Federal Information Processing Standards, as well as a comprehensive description of basic concepts and techniques entitled An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12, December 1995, and "Generally Accepted Principles and Practices for Securing Information Technology Systems,"3 published in September 1996. Additional federal requirements have been established for the protection of information that has been classified for national security purposes. However, these requirements are not discussed here because this guide pertains to the protection of sensitive but unclassified data, which comprise the bulk of data supporting most federal operations. Exploring Practices of Leading Organizations To supplement our ongoing audit work at federal agencies and gain a broader understanding of how information security programs can be successfully implemented, we studied the management practices of eight nonfederal organizations recognized as having strong information security programs. The specific objective of our review was to determine how such organizations have designed and implemented their programs in order to identify practices that could be applied at federal agencies. We focused primarily on the management framework that these organizations had established rather than on the specific controls that they had chosen, because previous audit work had identified security management as an 3Appendix II lists the principles identified in NIST's Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996. Page 10 GAO/AIMD-98-21 Information Security Management underlying problem at federal agencies. Although powerful technical controls, such as those involving encryption, are becoming increasingly available to facilitate information security, effective implementation requires that these techniques be thoughtfully selected and that their use be monitored and managed on an ongoing basis. In addition, there are many aspects of information security, such as risk assessment, policy development, and disaster recovery planning, that require coordinated management attention. To identify leading organizations, we reviewed professional literature and research information and solicited suggestions from experts in professional organizations, nationally known public accounting firms, and federal agencies. In selecting organizations to include in our study, we relied primarily on recommendations from the Computer Security Institute and public accounting firms because they were in a position to evaluate and compare information security programs at numerous organizations. In addition, we attempted to select organizations from a variety of business sectors to gain a broad perspective on the information security practices being employed. After initial conversations with a number of organizations, we narrowed our focus to eight organizations that had implemented fairly comprehensive organizationwide information security programs. All were prominent nationally known organizations. They included a financial services corporation, a regional electric utility, a state university, a retailer, a state agency, a nonbank financial institution, a computer vendor, and an equipment manufacturer. The number of computer users at these organizations ranged from 3,500 to 100,000, and four had significant international operations. Because most of the organizations we studied considered discussions of their security programs to be sensitive and they wanted to avoid undue public attention on this aspect of their operations, we agreed not to identify the organizations by name. We obtained information primarily through interviews with senior security managers and document analysis conducted during and after visits to the organizations we studied. In a few cases, we toured the organizations' facilities and observed practices in operation. We supplemented these findings, to a very limited extent, with information obtained from others. For example, at the state agency we visited, we also met with a statewide security program official and with state auditors. In addition, we asked the Computer Security Institute to query its members about their efforts to measure the effectiveness of their security programs in order to gain a broader perspective of practices in this area-s To determine the applicability of the leading organization's practices to federal agencies, we discussed our findings with numerous federal officials, including officials in OMB's Information Policy and Technology Branch, the Computer Security Division of NIST's Information Technology Laboratory, CIO Council GAO/AIMD-98-21 Information Security Management Page 11 members, the chairman of the Chief Financial Officers Council's systems subcommittee, information security officers from 15 federal agencies, and members of the President's Commission on Critical Infrastructure Protection. Further, we discussed our findings with our Executive Council on Information Management and Technology, a group of executives with extensive experience in information technology management who advise us on major information management issues affecting federal agencies. Throughout the guide, we make several observations on federal information security practices in order to contrast them with the practices of the non- federal organizations we studied. These observations are based on the body of work we have developed over the last several years and on our recent discussions with federal information security officers and other federal officials who are knowledgeable about federal information security practices. Although we attempted to be as thorough as possible within the scope of our study, we recognize that more work in this area remains to be done, including a more indepth study of individual practices. We also recognize that the practices require customized application at individual organizations depending on factors such as existing organizational strengths and weaknesses. Security as an Element of a Broader Information Management Strategy Although this guide focuses on information security program management, this is only one aspect of an organization's overall information management strategy. As such, an organization's success in managing security-related efforts is likely to hinge on its overall ability to manage its use of information technology. Unfortunately, federal performance in this broader area has been largely inadequate. Over the past 6 years, federal agencies have spent a reported $145 billion on information technology with generally disappointing mission-related results. Recognizing the need for improved information management, the Congress has enacted legislation that is prompting landmark reforms in this area. In particular, the Paperwork Reduction Act of 1995 emphasized the need for agencies to acquire and apply information resources to effectively support the accomplishment of agency missions and the delivery of services to the public. The Clinger-Cohen Act of 1996 repeated this theme and provided more detailed requirements. These laws emphasize involving senior executives in information management decisions, appointing senior-level chief information officers, and using performance measures to assess the contribution of technology in achieving mission results. Although their primary focus is much broader, both Page 12 GAO/AIMD-98-21 Information Security Management of these laws specify security as one of the aspects of information management that must be addressed. This environment of reform is conducive to agencies rethinking their security programs, as part of broader information management changes, and considering the implementation of the practices that have been adopted by nonfederal organizations. Other Issues Affecting Federal Information Security Security program management and the related implementation of controls over access to data, systems, and software programs, as well as service continuity planning, are central factors affecting an organization's ability to protect its information resources and the program operations that these resources support. However, there are numerous policy, technical, legal, and human resource issues that are not fully within the control of officials at individual agencies. These issues are currently being debated and, in many cases, addressed by private-sector and federal efforts. They include, but are not limited to, matters concerning (1) the use of encryption to protect the confidentiality of information and other cryptographic capabilities, including digital signatures and integrity checks, (2) personal privacy, (3) the adequacy of laws protecting intellectual property and permitting investigations into computer-related crimes, and (4) the availability of adequate technical expertise and security software tools. These topics are beyond the scope of this guide and, thus, are not discussed herein. However, it is important to recognize that strengthening information security requires a multifaceted approach and sometimes involves issues that are beyond the control of individual businesses and agencies. Although the management practices described in this guide are fundamental to improving an organization's information security posture, they should be considered in the context of this broader spectrum of issues. GAO/AIMD-98-21 Information Security Management Page 13 Leading Organizations Apply Fundamental Risk Management Principles The organizations we studied were striving to manage the same types of risks that face federal agencies. To do so, they had responded to these risks by reorienting their security programs from relatively low-profile operations focused primarily on mainframe security to visible, integral components of their organizations' business operations. Because of the similarities in the challenges they face, we believe that federal entities can learn from these organizations to develop their own more effective security programs. Federal and Nonfederal Entities Face Similar Risks and Rely on Similar Technologies Like federal agencies, the organizations we studied must protect the integrity, confidentiality, and availability of the information resources they rely on. Although most of the organizations we studied were private business enterprises motivated by the desire to earn profits, their information security concerns focused on providing high-quality reliable service to their customers and business partners, avoiding fraud and disclosures of sensitive information, promoting efficient operations, and complying with applicable laws and regulations. These are the same types of concerns facing federal agencies. Also, like federal agencies, the organizations we studied relied, to varying degrees, on a mix of mainframe and client-server systems and made heavy use of interconnected networks. In addition, all were either using or exploring the possibilities of using the Internet to support their business operations. Page 14 GAO/AIMD-98-21 Information Security Management Information Security Objectives Common to Federal and Nonfederal Entities * Maintain customer, constituent, * Ensure that organizational stockholder, or taxpayer confidence in computer, network, and data the organization's products, services, resources are not misused or efficiency, and trustworthiness wasted * Protect the confidentiality of sensitive * Avoid fraud personal and financial data on employees, clients, customers, and * Avoid expensive and beneficiaries disruptive incidents * Protect sensitive operational data from * Comply with pertinent laws inappropriate disclosure and regulations * Avoid third-party liability for illegal or * Avoid a hostile workplace malicious acts committed with the atmosphere that may impair organization's computer or network employee performance resources GAO/AIMD-98-21 Information Security Management Page 15 Risk Management Principles Provide A Framework for an Effective Information Security Program Although the nature of their operations differed, the organizations we studied all had embraced five risk management principles, which are listed in the box below. These principles guided the organizations' efforts to manage the risk associated with the increasingly automated and interconnected environment in which they functioned. Risk Management Principles Implemented by Leading Organizations * Assess risk and determine needs * Establish a central management focal point * Implement appropriate policies and related controls * Promote awareness * Monitor and evaluate policy and control effectiveness An important factor in effectively implementing these principles was linking them in a cycle of activity that helped ensure that information security policies addressed current risks on an ongoing basis. The single most important factor in prompting the establishment of an effective security program was a general recognition and understanding among the organization's most senior executives of the enormous risks to business operations associated with relying on automated and highly interconnected systems. However, risk assessments of individual business applications provided the basis for establishing policies and selecting related controls. Steps were then taken to increase the awareness of users concerning these risks and related policies. The effectiveness of controls and awareness activities was then monitored through various analyses, evaluations, and audits, and the results provided input to subsequent risk assessments, which determined if existing policies and controls needed to be modified. All of these activities were coordinated through a central security Page 16 GAO/AIMD-98-21 Information Security Management management office or group who served as consultants and facilitators to individual business units and senior management. This risk management cycle is illustrated in the diagram below. Risk Management Cycle Assess Risk & Determine Needs Implement Cetral Monitor & Policies &O Focal Evaluate Controls Point Promot Awareness This continuing cycle of monitoring business risks, maintaining policies and controls, and monitoring operations parallels the process associated with managing the controls associated with any type of program. In addition, these principles should be familiar to federal agency officials since they have been emphasized in much of the recent guidance pertaining to federal information security. Most notably, they incorporate many of the concepts included in NIST's September 1996 publication, Generally Accepted Principles and Practices for Securing Information Technology Systems, and in OMB's February 1996 revision of Circular A-130, Appendix LUI, "Security of Federal Automated Information Resources." GAO/AIMD-98-21 Information Security Management Page 17 Principles Were Implemented Though Similar Practices The organizations we studied had developed similar sets of practices to implement the five risk management principles, although the techniques they employed varied depending largely on each organization's size and culture. Some programs were less mature than others and had not fully implemented all of the practices. However, security managers at each organization we studied agreed that the 16 practices outlined in the following illustration, which relate to the five risk management principles, were key to the effectiveness of their programs. Page 18 GAO/AIMD-98-21 Information Security Management Sixteen Practices Employed by Leading Organizations To Implement the Risk Management Cycle Practices Principles 1. Recognize information resources as essential organizational assets Assess Risk 2. Develop practical risk assessment and Determine procedures that link security to Needs 1ll 11 11 _ business needs 3. Hold program and business managers accountable 4. Manage risk on a continuing basis 5. Designate a central group to carry Establish A out key activities Central * *| * Estalis - _ 6. Provide the central group ready and independent access to senior executives Management _ 7. Designate dedicated funding and staff Focal Point 8. Enhance staff professionalism and technical skills Implement 9. Link policies to business risks Appropriate Policies and Related * l _h ,. 10. Distinguish between policies and guidelines 11. Support policies through central Controls security group 12. Continually educate users and Promote Awareness Es ______________ _ rl _ others on risks and related policies 13. Use attention-getting and user-friendly techniques 14. Monitor factors that affect risk and Monitor and indicate security effectiveness Evaluate Policy and Potolc an I *l Al 15. Use results to direct future efforts 1lill hold _>and managers accountable 16. Be alert to new monitoring tools Effectiveness and techniques The following pages provide a more detailed discussion of these practices and illustrative examples of the techniques used to implement them by the organizations we studied. GAO/AIMD-98-21 Information Security Management Page 19 Assess Risk and ( -u Implement Central Determine Needs Determine Needs Controls& ~~~~Policies U<Ill0fl - Focal Point ontoe Evalat Evalua~U Promote Awareness "We are not in the business of protecting information. We only protect information insofar as it supports the business needs and requirements of our company. " - Senior security manager at a major electric utility All of the organizations we studied said that risk considerations and related cost-benefit tradeoffs were a primary focus of their security programs. Security was not viewed as an end in itself, but a set of policies and related controls designed to support business operations. Controls were identified and implemented to address specific business risks. As one organization's security manager said, "Because every control has some cost associated with it, every control needs a business reason to be put in place." Regardless of whether they were analyzing existing or proposed operations, security managers told us that identifying and assessing information security risks in terms of the impact on business operations was an essential step in determining what controls were needed and what level of resources could be expended on controls. In this regard, understanding the business risks associated with information security was the starting point of the risk management cycle. Page 20 GAO/AIMD-98-21 Information Security Management Practice 1: Recognize Information Resources as Essential Organizational Assets That Must Be Protected "Information technology is an integral and critical ingredient for the successful functioning of major U.S. companies." - Deloitte & Touche LLP Survey of American Business Leaders, November 1996 The organizations we studied recognized that information and information systems were critical assets essential to supporting their operations that must be protected. As a result, they viewed information protection as an integral part of their business operations and of their strategic planning. Senior Executive Support Is Crucial In particular, senior executive recognition of information security risks and interest in taking steps to understand and manage these risks were the most important factors in prompting development of the information security programs we studied. Such high-level interest helped ensure that information security was taken seriously at lower organizational levels and that security specialists had the resources needed to implement an effective program. This contrasts with the view expressed to us by numerous federal managers and security experts that many top federal officials have not recognized the indispensable nature of electronic data and automated systems to their program operations. As a result, security-related activities intended to protect these resources do not receive the resources and attention that they merit. In some cases, senior management's interest at the organizations we studied had been generated by an incident that starkly illustrated the organization's information security vulnerabilities, even though no damage may have actually occurred. In other cases, incidents at other organizations had served as a "wake-up call." Two organizations noted that significant interest on the part of the board of directors was an important factor in their organizations' attention to information security. However, security managers at many of the organization's we studied told us that their chief executive officers or other very senior executives had an ongoing interest in information technology and security, which translated into an organizationwide emphasis on these areas. Although the emphasis on security at the organizations we studied generally emanated from top officials, security specialists at lower levels nurtured this GAO/AIMD-98-21 Information Security Management Page 21 emphasis by keeping them abreast of emerging security issues, educating managers at all levels, and by emphasizing the related business risks to their own organizations. Security Seen As An Enabler In addition, most of the organizations we studied were aggressively exploring ways to improve operational efficiency and service to customers through new or expanded applications of information technology, which usually prompted new security considerations. Officials at one organization told us that they viewed their ability to exploit information technology as giving them a significant competitive advantage. In this regard, several organizations told us that security was increasingly being viewed as an enabler-a necessary step in mitigating the risks associated with new applications involving Internet use and broadened access to the organization's computerized data. As a result, security was seen as an important component in improving business operations by creating opportunities to use information technology in ways that would not otherwise be feasible. Page 22 GAO/AIMD-98-21 Information Security Management Practice 2: Develop Practical Risk Assessment Procedures That Link Security to Business Needs The organizations we studied had tried or were exploring various risk assessment methodologies, ranging from very informal discussions of risk to fairly complex methods involving the use of specialized software tools. However, the organizations that were the most satisfied with their risk assessment procedures were those that had defined a relatively simple process that could be adapted to various organizational units and involved a mix of individuals with knowledge of business operations and technical aspects of the organization's systems and security controls. The manufacturing company had developed an automated checklist that asked business managers and relevant staff in individual units a series of questions that prompted them to consider the impact of security controls, or a lack thereof, on their unit's operations. The results of the analysis were reported in a letter to senior management that stated the business unit's compliance with the security policy, planned actions to become compliant, or willingness to accept the risk. The results were also reported to the internal auditors, who used them as a basis for reviewing the business unit's success in implementing the controls that the unit's managers had determined were needed. Through the reporting procedure, the business managers took responsibility for either tolerating or mitigating security risks associated with their operations. Such procedures provided a relatively quick and consistent means of exploring risk with business managers, selecting cost-effective controls, and documenting conclusions and business managers' acceptance of final determinations regarding what controls were needed and what risks could be tolerated. With similar objectives in mind, the utility company we studied had developed a streamlined risk assessment process that brought together business managers and technical experts to discuss risk factors and mitigating controls. (This process is described in detail as a case example on page 27.) Other organizations had developed less formal and comprehensive techniques for ensuring that risks were considered prior to changes in operations. * The retailer had established standard procedures for requesting and granting new network connections. Under these procedures, documentation about the business need for the proposed connection and the risks associated with the proposed connection had to be submitted in writing prior to consideration by the central security group. Then, a meeting between the technical group, which implemented new connections, the requester, and the central security group was held to further explore the issue. The documentation and meeting helped GAO/AIMD-98-21 Information Security Management Page 23 ensure that the requester's business needs were clearly understood and the best solution was adopted without compromising the network's security. * The financial services corporation had implemented procedures for documenting business managers' decisions to deviate from organizationwide policies and standards. In order to deviate from a "mandatory policy," the business unit prepared a letter explaining the reason for the deviation and recognizing the related risk. Both the business unit executive and the central security group manager signed the letter to acknowledge their agreement to the necessity of the policy deviation. Deviations from less rigid "standards" were handled similarly, although the letter could be signed by the business unit executive, alone, and did not require the central security group's approval, though it was generally received. In all cases, the central security group discussed the information security implications of the deviation with the appropriate executive and signed-off only when it was satisfied that the executives fully understood the risk associated with the deviation. However, the ultimate decision on whether a deviation from policies or standards was appropriate was usually left to the business unit. Organizations Saw Benefits Despite Lack of Precision "Actual losses are not necessarily good indications of risk." - Security manager at a prominent financial institution Although all of the organizations placed emphasis on understanding risks, none attempted to precisely quantify them, noting that little quantified data are available on the likelihood of an incident occurring or on the amount of damage that is likely to result from a particular type of incident. Such data are not available because many losses are never discovered and others are never reported, even within the organizations where they occurred. In addition, there are limited data on the full costs of damage caused by security weaknesses and on the operational costs of specific control techniques. Further, due to fast- paced changes in technology and factors such as the tools available to would- be intruders, the value of applying data collected in past years to the current environment is questionable. As a result, it is difficult, if not impossible, to precisely compare the cost of controls with the risk of loss in order to determine which controls are the most cost-effective. Ultimately, business managers and security specialists must rely on the best information available and their best judgment in determining what controls are needed. Page 24 GAO/AIMD-98-21 Information Security Management Despite their inability to precisely compare the costs of controls with reductions in risk, the organizations we studied said that risk assessments still served their primary purpose of ensuring that the risk implications of new and existing applications were explored. In particular, the security managers we met with believed that adequate information was available to identify the most significant risks. For example, in addition to their own organization's experience, they noted that information on threats, specific software vulnerabilities, and potential damage was widely available in technical literature, security bulletins from organizations such as the Carnegie-Mellon Computer Emergency Response Team (CERT), surveys done by professional associations and audit firms, and discussion groups. Although much of this information was anecdotal, the security managers thought that it was sufficient to give them a good understanding of the threats of concern to their organizations and of the potential for damage. In addition, the lack of quantified results did not diminish the value of risk assessments as a tool for educating business managers. By increasing the understanding of risks, risk assessments (1) improved business managers' ability to make decisions on controls needed, in the absence of quantified risk assessment results, and (2) engendered support for policies and controls adopted, thus helping to ensure that policies and controls would operate as intended. GAO/AIMD-98-21 Information Security Management Page 25 Practice 3: Hold Program and Business Managers Accountable "Holding business managers accountable and changing the security staff's role from enforcement to service has been a major paradigm shift for the entire company." - Security manager at a major equipment manufacturer The organizations we studied were unanimous in their conviction that business managers must bear the primary responsibility for determining the level of protection needed for information resources that support business operations. In this regard, most of the organizations we studied held the view that business managers should be held accountable for managing the information security risks associated with their operations, much as they would for any other type of business risk. However, security specialists played a strong educational and advisory role and had the ability to elevate discussions to higher management levels when they believed that risks were not being adequately addressed. Business managers, usually referred to as program managers in federal agencies, are generally in the best position to determine which of their information resources are the most sensitive and what the business impact of a loss of integrity, confidentiality, or availability would be. Business or program managers are also in the best position to determine how security controls may impair their operations. For this reason, involving them in selecting controls can help ensure that controls are practical and will be implemented. Accordingly, security specialists at the organizations we studied had assumed the role of educators, advisors, and facilitators who helped ensure that business managers were aware of risks and of control techniques that had been or could be implemented to mitigate the risks. For several of the organizations we studied, these roles represented a dramatic reversal from past years, when security personnel were viewed as rigid, sometimes overly protective enforcers who often did not adequately consider the effect of security controls on business operations. Some of the organizations we studied had instituted mechanisms for documenting and reporting business managers' risk determinations. These generally required some type of sign-off on memoranda that either (1) reported deviations from predetermined control requirements, as was the case at the financial services corporation and the manufacturing company discussed previously or (2) provided the results of risk assessments, as was the case of the utility company described in the following case example. According to the security managers we met with, such sign-off requirements helped ensure that business managers carefully considered their decisions before finalizing them. Page 26 GAO/AIMD-98-21 Information Security Management Case Example: A Practical Method for Involving Business Managers in Risk Assessment A major electric utility company has developed an efficient and disciplined process for ensuring that information security-related risks to business operations are considered and documented. The process involves analyzing one system or segment of business operation at a time and convening a team of individuals that includes business managers who are familiar with business information needs and technical staff who have a detailed understanding of potential system vulnerabilities and related controls. The sessions, which follow a standard agenda, are facilitated by a member of the central security group who helps ensure that business managers and technical staff communicate effectively and adhere to the agenda During the session, the group brainstorms to identify potential threats, vulnerabilities, and resultant negative impacts on data integrity, confidentiality, and availability. Then, they analyze the effects of such impacts on business operations and broadly categorize the risks as major or minor. The group does not usually attempt to obtain or develop specific numbers for threat likelihood or annual loss estimates unless the data for determining such factors are readily available. Instead, they rely on their general knowledge of threats and vulnerabilities obtained from national incident response centers, professional associations and literature, and their own experience. They believe that additional efforts to develop precisely quantified risks are not cost-effective because (1) such estimates take an inordinate amount of time and effort to identify and verify or develop, (2) the risk documentation becomes too voluminous to be of practical use, and (3) specific loss estimates are generally not needed to determine if a control is needed. After identifying and categorizing risks, the group identifies controls that could be implemented to reduce the risk, focusing on the most cost-effective controls. As a starting point, they use a list of about 25 common controls designed to address various types of risk. Ultimately, the decision as to what controls are needed lies with the business managers, who take into account the nature of the information assets and their importance to business operations and the cost of controls. The team's conclusions as to what risks exist and what controls are needed are documented along with a related action plan for control implementation. This document is then signed by the senior business manager and technical expert participating and copies are made available to all participant groups and to the internal auditors, who may later audit the effectiveness of the agreed upon controls. Each risk analysis session takes approximately 4 hours and includes 7 to 15 people, though sessions with as many as 50 and as few as 4 people have occurred. Additional time is usually needed to develop the action plan. The information security group conducts between 8 and 12 sessions a month. According to the utility's central information security group, this process increases security awareness among business managers, develops support for needed controls, and helps integrate information security considerations into the organization's business operations. GAO/AIMD-98-21 Information Security Management Page 27 Practice 4: Manage Risk on a Continuing Basis "Information security is definitely a journey, not a destination--there are always new challenges to meet." - Chief information security officer at a major financial services corporation The organizations we met with emphasized the importance of continuous attention to security to ensure that controls were appropriate and effective. They stressed that constant vigilance was needed to ensure that controls remained appropriate-addressing current risks and not unnecessarily hindering operations-and that individuals who used and maintained information systems complied with organizational policies. Such attention is important for all types of internal controls, but it is especially important for security over computerized information, because, as mentioned previously, the factors that affect computer security are constantly changing in today's dynamic environment. Such changing factors include threats, systems technologies and configurations, known vulnerabilities in existing software, the level of reliance on automated systems and electronic data, and the sensitivity of such operations and data- Existing Federal Guidance Provides a Framework for Implementing Risk Management Practices OMB's most recent revision of Circular A-130, Appendix III, recognizes that federal agencies have had difficulty in performing effective risk assessments and it reemphasizes the importance of holding program managers accountable for authorizing systems for use and, thus, accepting the risks associated with these systems. In its 1996 revisions of Circular A-130, OMB eliminated a long-standing federal requirement for formal risk assessments because agencies were expending resources on complex assessments of specific risks with limited tangible benefits in terms of improved security. Instead, OMB's revised circular promotes a risk-based approach and suggests that, rather than trying to precisely measure risk, agencies focus on generally assessing risks and managing them. This approach is similar to that used by the organizations we studied. Similarly, the concept of holding program managers accountable underlies the existing federal process for accrediting systems for use. Accreditation is detailed in NIST's Federal Information Processing Standards Publication 102, "Guideline for Computer Security Certification and Accreditation," which was published in 1983. According to NIST, accreditation is "the formal authorization by the management official for system operation and an explicit acceptance of risk." OMB's 1996 update to Circular A-130, Appendix HI, provides similar guidance, specifying that a management official should Page 28 GAO/AIMD-98-21 Information Security Management authorize in writing the use of each system before beginning or significantly changing use of the system. "By authorizing processing in a system, a manager accepts the risks associated with it." GAO/AIMD-98-21 Information Security Management Page 29 [Getting Started-Ases ing Riskandy DetermininaNg Neied J Seniorrogram ain an understanding o~~f'ther criticaiyadsniiiyo Of7the icials infobrmationand systems u eency rogram.Batc~~ ..... ecg ize that information lri secity risks to program1, i~it;2000g:i0;E00Xtt ioelate o you;ir agpoencilyt ojse ai ons. ll:i~~~ii|402iii0t~l|i0040404i;40Lr; Monitor implementation of te ris assessmen k pro ces ;g:L:::; ::E:;;X::::;::V;:E;;it::l:to aenisure that ;itit~s :;providing :benefits and 0does enot~i:E::;t:~:i:X:t: sento pertinsar poetal ssigiiatads upport efot Clas Define ri k m t tha involve senio i program0 ; l officials and requireed the to mak nal : !A :atn edeterminations rgaerinogthenlevefinfi on ointoa "pprokeecs. -evovethatscuiy~ specialists and other technical t;;experts 0ig;:iare availableyf to ;educate gand adpvise :program ofiil regarding potential vulnerabilities and related ri nE:E:Senior:Security: LPromote qeand ~facilitate :the grisk iassessment i process: by: :!~!: 50E::|iVfg0; Off tliEce!0:!tdOrs0 on:(;10) trols.SMI o jdevelopin~g lipractical trisk jassessmentilprocedu~re sltand**: tools, (2) arranging for risk assessment session, ) !:: :;~ :ii:; ;:E:::g~j: uf:;:enun the !|involvement of ckey programn :and :technical: In promotingthe adoption of policies and othebrcontrols; fus on the specificbiness u onIstroilsd reasons for the rather ta n eei requirements Page 30 GAO/AIMD-98-21 Inforrnation Security Management Assess Risk _ ~~~&Determine _ Needs Establish A Central Implement Management Focal Controls gl1l0 Eonite Point I Promote Awareness "A central focal point is essential to spotting trends, identifying problem areas, and seeing that policies and administrative actions are handled in a consistent manner. - Senior information security officer for a major university "Information security has become too important to handle on an ad hoc basis." - Security specialist at a major retailing company Managing the increased risks associated with a highly interconnected computing environment demands increased central coordination to ensure that weaknesses in one organizational unit's systems do not place the entire organization's information assets at undue risk. Each of the organizations we studied had adopted this view and, within the last few years, primarily since 1993, had established a central security management group or reoriented an existing central security group to facilitate and oversee the organization's information security activities. As such, the central group served as the focal point for coordinating activities associated with the four segments of the risk management cycle. As discussed in the previous section on risk analysis, the central security groups served primarily as advisers or consultants to the business units, and, thus, they generally did not have the ability to independently dictate information security practices. However, most possessed considerable "clout" across their organizations due largely to the support they received from their organization's senior management. In this regard, their views were GAO/AIMD-98-21 Information Security Management Page 31 sought and respected by the organizations' business managers. The following case example describes how one organization strengthened its central security group and reoriented its focus. Case Example: Transforming an Organization's Central Security Focal Point In 1995, realizing that security was an essential element of its efforts to innovatively use information technology, a major manufacturer significantly reorganized and strengthened its central information security function. Prior to the reorganization, a central security group of about four individuals concentrated on mainframe security administration and had little interaction with the rest of the company. Since then, the central group has grown to include 12 individuals who manage the security of the company's main network, decentralized computer operations, and Internet use. In addition, the group participates in the company's strategic planning efforts and in the early stages of software development projects to ensure that security implications of these efforts are addressed. In this regard, it serves as a communications conduit between management and the information systems staff who design, build, and implement new applications. Members of the central group possess a variety of technical skills and have specific information security responsibilities, such as developing policy, maintaining the firewall that protects the organization's network from unauthorized intrusions, or supporting security staff assigned to individual business units. According to the group's manager, because of the shift in the central group's responsibilities, "the members of the group had to change their mind-set from a staff organization to a service organization. They had to be willing to work with business managers to enable rather than to control business operations." Page 32 GAO/AIMD-98-21 Information Security Management Practice 5: Designate a Central Group to Carry Out Key Activities Overall, the central security groups we studied served as (1) catalysts for ensuring that information security risks were considered in both planned and ongoing operations, (2) central resources for advice and expertise to units throughout their organizations, and (3) a conduit for keeping top management informed about security-related issues and activities affecting the organization. In addition, these central groups were able to achieve some efficiencies and increase consistency in the implementation of the organization's security program by performing tasks centrally that might otherwise be performed by multiple individual business units. Specific activities performed by central groups differed somewhat, primarily because they relied to a varying extent on security managers and administrators in subordinate units and on other organizationally separate groups, such as disaster recovery or emergency response teams. Examples of the most common activities carried out by central groups are described below. * Developing and adjusting organizationwide policies and guidance, thus reducing redundant policy-related activities across the organization's units. For example, the manufacturer's central security group recently revamped the company's entire information security manual and dedicated one staff member to maintaining it. * Educating employees and other users about current information security risks and helping to ensure consistent understanding and administration of policies through help-line telephone numbers, presentations to business units, and written information communicated electronically or through paper memos. * Initiating discussions on information security risks with business managers and conducting defined risk assessment procedures. * Meeting periodically with senior managers to discuss the security implications of new information technology uses being considered. * Researching potential threats, vulnerabilities, and control techniques and communicating this information to others in the organization. Many of the organizations supplemented knowledge gained from their own experiences by frequently perusing professional publications, alerts, and other information available in print and through the Internet. Several mentioned the importance of networking with outside organizations, such as the International Information Integrity Institute, the European Security Forum, and the Forum of Incident Response and Security GAO/AIMD-98-21 Information Security Management Page 33 Teams, to broaden their knowledge. One senior security officer noted, "Sharing information and solutions is important. Many organizations are becoming more willing to talk with outsiders about security because they realize that, despite differing missions and cultures, they all use similar technology and face many of the same threats." * Monitoring various aspects of the organization's security-related activities by testing controls, accounting for the number and types of security incidents, and evaluating compliance with policies. The central groups often characterized these evaluative activities as services to the business units. * Establishing a computer incident response capability, and, in some cases, serving as members of the emergency response team. * Assessing risks and identifying needed policies and controls for general support systems, such as organizationwide networks or central data processing centers, that supported multiple business units. For example, some central groups controlled all new connections to the organization's main network, ensuring that the connecting network met minimum security requirements. Similarly, one organization's central group was instrumental in acquiring a strong user authentication system to help ensure that network use could be reliably traced to the individual users. Further, most central groups oversaw Internet use. * Creating standard data classifications and related definitions to facilitate protection of data shared among two or more business units. * Reviewing and testing the security features in both commercially developed software that was being considered for use and internally developed software prior to its being moved into production. For example, the manufacturing company's central group reviewed all new Internet related applications and had the authority to stop such applications from going into production if minimum security standards were not met. Similarly, the central information protection group at the utility we studied was required to approve all new applications to indicate that risks had been adequately considered. * Providing self-assessment tools to business units so that they could monitor their own security posture. For example, the financial services corporation provided business units with software tools and checklists so that they would assume responsibility for identifying and correcting weaknesses, rather than depending on auditors to identify problems. Page 34 GAO/AIMD-98-21 Information Security Management Practice 6: Provide the Central Group Ready and Independent Access to Senior Executives Senior information security managers emphasized the importance of being able to discuss security issues with senior executives. Several noted that, to be effective, these senior executives had to be in a position to take action and effect change across organizational divisions. The ability to independently voice security concerns to senior executives was viewed as important because such concerns could often be at odds with business managers' and system developers' desires to implement new computer applications quickly and avoid controls that would impede efficiency, user friendliness, and convenience. This ability to elevate significant security concerns to higher management levels helped ensure that risks were thoroughly understood and that decisions as to whether such risks should be tolerated were carefully considered before final decisions were made. The organizational positions of the central groups varied. Most were located two levels below the Chief Information Officer (CIO). However, the groups reporting directly to the CIO or to an even more senior official viewed this as an advantage because it provided them greater independence. Several others said that, despite their lower organizational position, they felt free to contact their CIOs and other senior executives when important security issues arose, and they were relatively unrestrained by the need to "go through the chain of command." Some noted that senior managers frequently called them to discuss security issues. For example, at the nonbank financial institution, the senior security manager was organizationally placed two levels below the CIO, but she met independently with the CIO once every quarter. Also, during the first three months of 1997, she had met twice with the organization's chief executive officer, at his request, to discuss the security implications of new applications. In contrast, several federal information security officials told us that they felt that their organizations were placed too low in the organizational structure to be effective and that they had little or no opportunity to discuss information security issues with their CIOs and other senior agency officials. Rather than depend on the personal interest of individual senior managers, two of the organizations we studied had established senior-level committees to ensure that information technology issues, including information security, received appropriate attention. For example, the university's central group had created a committee of respected university technical and policy experts to discuss and build consensus about the importance of certain information security issues reported to senior management, thus lending weight and credibility to concerns raised by the central security office. GAO/AIMD-98-21 Information Security Management Page 35 Practice 7: Designate Dedicated Funding and Staff Unlike many federal agencies, the central groups we studied had defined budgets, which gave them the ability to plan and set goals for their organization's information security program. At a minimum, these budgets covered central staff salaries and training and security hardware and software. At one organization, business units could supplement the central group's resources in order to increase the central group's participation in high priority projects. While all of the central groups we studied had staffs ranging from 3 to 17 people permanently assigned to the group, comparing the size of these groups is of limited value because of wide variations in the (1) sizes of the organizations we studied, (2) inherent riskiness of their operations, and (3) the additional support the groups received from other organizational components and from numerous subordinate security managers and administrators. In particular, no two groups we studied were alike regarding the extent of support they received from other organizational units. For example, the computer vendor relied on a security manager in each of the organization's four regional business units, while the utility's nine-member central group relied on 48 part-time information security coordinators at various levels within the company. Some central groups relied heavily on technical assistance located in another organizational unit, while others had significant technical expertise among their own staff, and, thus, were much more involved in directly implementing and testing controls. Despite these differences, two key characteristics were common to each of the organization we studied: (1) information security responsibilities had been clearly defined for the groups involved and (2) dedicated staff resources had been provided to carry out these responsibilities. The following table summarizes the details on the size and structure of the organizations' information security staffs. Page 36 GAO/AIMD-98-21 Information Security Management Placement and Staffing of Eight Central Information Security Management Groups Organization Approximate Placement of Number of Other Staff Resources Number of Central Group Dedicated Relied On (some numbers are System Users Central Staff approximate) Financial 70,000 Two levels 17 35 security officers in Services below CEO business units Corporation Electric Utility 5,000 One level 9 48 security coordinators at below CIO three levels throughout the organization Virus response team Administrators State University 100,000 One level 3 170 LAN administrators below CIO Technical committee Policy committee Incident handling team Retailer 65,000 Two levels 12 2,000 distributed security below CIO administrators Internal audit staff Technical services group Loss prevention staff State Agency 8,000 Two levels 8 25 district managers below CIO Security administrators in 31 units Individuals with specialized expertise in the information systems group (Nonbank) 3,500 Two levels 7 Central security Financial below CIO administration group Institution Computer 15,000 Three levels 4 27 regional security Vendor below CIO specialists Equipment 35,000 Several levels 12 70 site security administrators Manufacturer below CIO GAO/AIMD-98-21 Information Security Management Page 37 Practice 8: Enhance Staff Professionalism and Technical Skills The organizations we studied had taken steps to ensure that personnel involved in various aspects of their information security programs had the skills and knowledge they needed. In addition, they recognized that staff expertise had to be frequently updated to keep abreast of ongoing changes in threats, vulnerabilities, software, security techniques, and security monitoring tools. Further, most of the organizations were striving to increase the professional stature of their staff in order to gain respect from others in their organizations and attract competent individuals to security-related positions. Update Skills and Knowledge of Security Managers and Specialists The training emphasis for staff in the central security management groups, many of whom came to their groups with significant technical expertise, was on keeping staff skills and knowledge current. This was accomplished primarily through attendance at technical conferences and specialized courses on topics such as the security features of new software, as well as networking with other security professionals and reviewing the latest technical literature and bulletins. To maximize the value of expenditures on external training and events, one central group required staff members who attended these events to brief others in the central group on what they had learned. In an effort to significantly upgrade the expertise of information security officers in its various business units, the central group at the financial services corporation had recently arranged for an outside firm to provide 5 weeks of training for these individuals. The training, which is planned to take place in 1 week increments throughout the year, is expected to entail a broad range of security-related topics, including general information security, encryption, access control, and how to build a better working relationship with the corporation's technical information systems group. Citing an emerging trend, the senior information security managers had also started to create information security career paths and stress professional certification for security specialists. In particular, many organizations were encouraging their staff to become Certified Information Systems Security Professionals (CISSP).4 One security manager noted that security specialists 4The CISSP certification was established by the International Information Systems Security Certification Consortium. The consortium was established as a joint effort of several information security-related organizations, including the Information Systems Security Association and the Computer Security Institute, to develop a certification program for information security professionals. Page 38 GAO/AIMD-98-21 Information Security Management also needed excellent communication skills if they were to effectively fulfill their roles as consultants and facilitators for business managers who were less technically expert regarding computers and telecommunications. Educate System Administrators Increasing the expertise of system administrators presented different challenges. System administrators are important because they generally perform day to day security functions, such as creating new system user accounts, issuing new passwords, and implementing new software. These tasks must be completed properly and promptly or controls, such as passwords and related access restrictions, will not provide the level of protection intended. In addition, system administrators are the first line of defense against security intrusions and are generally in the best position to notice unusual activity that may indicate an intrusion or other security incident. However, at the organizations we studied, as at federal agencies, security is often a collateral duty, rather than a full-time job, and the individuals assigned frequently have limited technical expertise. As a result, the effectiveness of individual system administrators in maintaining security controls and spotting incidents is likely to vary. To enhance the technical skills of their security administrators and help ensure that all of them had the minimal skills needed, most of the groups we studied had established special training sessions for them. For example, * the manufacturer required new security administrators to spend 2 to 5 days in training with the central security group, depending on their technical skills, before they were granted authority to perform specific functions on the network, such as controlling the users' access rights; * the central security group at the university we studied held annual technical conferences for the university's systems administrators and engaged professional training organizations to offer on-campus training at very reduced rates; and * the state agency held a biannual conference for systems administrators that included sessions related to their information security responsibilities. Attract and Keep Individuals with Technical Skills Most of the groups cited maintaining or increasing the technical expertise among their security staff as a major challenge, largely due to the high demand GAO/AIMD-98-21 Information Security Management Page 39 for information technology experts in the job market. In response, several said they offered higher salaries and special benefits to attract and keep expert staff. For example, the financial services corporation provided competitive pay based on surveys of industry pay levels, attempted to maintain a challenging work environment, and provided flexible work schedules and telecommuting opportunities that allowed most of the staff to work at home 1 day a week. In addition, provisions were made for staff to do the type of work they preferred, such as software testing versus giving presentations. Organizations relied on both internally and externally developed and presented training courses, sometimes engaging contractors or others to assist. For example, the state information security office above the state agency we studied worked with an information security professional organization to provide a relatively low-cost statewide training conference. The state organization provided meeting rooms and administrative support while the professional organization used its professional contacts to obtain knowledgeable speakers. Page 40 GAO/AIMD-98-21 Information Security Management Getting Started--Establishing ,.a Central Focal. Point: :-:Senior Proga Involve agencysecurity specialists in the early pI ng b Officials stages !.of proJects .involving computer and/or network Be accssible to ency securit experts opnto nand onsid ering'theinformation sec uityimplications of any operations.~...... ClOs Establish a central gr t r of knowledgeandexpertise on inf adtion teur and to oordiate agencdesecurity-related activities.:il::; ;-..--,'. Provide-the ebntraligroup a:deq funding f staff seurt softwar tools. resourestrining, and Be accessibleto agenn ise n ..... lveagencysecurity.expertsite p stages of sys dev ,elopm or ienhancemen projects. ;:~~~~~~ P *Supor ."t;'$ipi0.crsiHat efors n. in ht; o atrct andreinndvuaswt i . ;yneeded technical skill6. Senior S erty Devel tripansfr increasi the exper tse of Officers seuit specialis tsand secunity adistao. DistrExpore echnism drawing on.;:the eof terswiresources.!by, x forlevraging oudeof theagency. - Dee lopp method foattrg an retainingindividuals waith Manegedednte4ica kills. GAO/AIMD-98-21 Information Security Management Page 41 Assess Risk & Determine It ^~~~ Implement Appropriate Central Policies and Related 0190 Focal Evaluate Controls Point Promote Awareness The organizations we studied viewed information security policies as the foundation of their information security programs and the basis for adopting specific procedures and technical controls. As with any area of operations, written policies are the primary mechanism by which management communicates its views and requirements to its employees, clients, and business partners. For information security, as with other types of internal controls, these views and requirements generally flow directly from risk considerations, as illustrated in the management cycle depicted above. As discussed earlier, our discussions with the eight organizations we studied focused on their methods for developing and supporting policies and guidelines. We did not discuss the specific controls they had implemented due to the proprietary and often highly technical nature of this information. Page 42 GAO/AIMD-98-21 Information Security Management Practice 9: Link Policies To Business Risks The organizations we studied stressed the importance of up-to-date policies that made sense to users and others who were expected to understand them. Many senior security managers told us that prior to the recent strengthening of their security programs, their organization's information security policies had been neglected and out-of-date, thus failing to address significant risks associated with their current interconnected computing environment. As a result, developing a comprehensive set of policies was one of their first steps in establishing an effective corporatewide security program. In addition, they emphasized the importance of adjusting policies on a continuous basis to respond to newly identified risks or areas of misunderstanding. For example, * At the financial services corporation we studied, the central security group routinely analyzed the causes of security weaknesses identified by management and by auditors in order to identify policy and related control deficiencies. * The university we studied had recently developed more explicit policies on system administrator responsibilities in recognition of the critical role of system administration in a distributed environment. * The manufacturing company we studied had recently drafted policies on security incident response after an incident had exposed shortfalls in the company's guidance in this area. A relatively new risk area receiving particular attention in the policies of the organizations we studied was user behavior. Many policies are implemented and, to some extent, enforced by technical controls, such as logical access controls that prevent individuals from reading or altering data in an unauthorized manner. However, many information security risks cannot be adequately mitigated with technical controls because they are a function of user behavior. In a networked environment, these risks are magnified because a problem on one computer can affect an entire network of computers within minutes and because users are likely to have easier access to larger amounts of data and the ability to communicate quickly with thousands of others. For example, users may accidentally disclose sensitive information to a large audience through electronic mail or introduce damaging viruses that are subsequently transmitted to the organizations entire network of computers. In addition, some users may feel no compunction against browsing sensitive organizational computer files or inappropriate Internet sites if there is no clear guidance on what types of user behavior are acceptable. GAO/AIMD-98-21 Information Security Management Page 43 To address these risks, many of which did not exist prior to extensive use of networks, electronic mail, and the Internet, the organizations we visited had begun placing more emphasis on user behavior in their policies and guidelines. For example, the university's policies went beyond the traditional warnings against password disclosure by including prohibitions against a variety of possible user actions. These included misrepresenting their identity in electronic communications and conducting and promoting personal commercial enterprises on the network. The senior security officer at this organization noted that, when rules such as this are aimed at users, it is especially important that they be stated in clearly understandable, relatively nontechnical language. The security officers at the computer vendor we studied said that because the company's information security policies emphasized user behavior, they were included in the organization's employee code of conduct. Page 44 GAO/AIMD-98-21 Information Security Management Practice 10: Distinguish Between Policies and Guidelines "Detailed guidelines are an important supplement to the official policies because they educate users and serve as an awareness tool." - Security manager at a prominent financial institution A common technique for making organizational information security policies more useful was to divide them into two broad segments: concise high-level policies and more detailed information referred to as guidelines or standards. Policies generally outlined fundamental requirements that top management considered to be imperative, while guidelines provided more detailed rules for implementing the broader policies. Guidelines, while encouraged, were not considered to be mandatory for all business units. Distinguishing between organizational policies and guidelines provided several benefits. It allowed senior management to emphasize the most important elements of information security policy, provided some flexibility to unit managers, made policies easier for employees to understand, and, in some cases, reduced the amount of formal review needed to finalize updated policies. Guidelines Can Serve As An Educational Tool Several security managers said that short policies that emphasized the most important aspects of the organizations security concerns were more likely to be read and understood than voluminous and detailed policies. However, they noted that more detailed guidelines often provided answers to employees' questions and served as a tool for educating subordinate security managers and others who wanted a more thorough understanding of good security practices. For example, the utility company we studied had distilled the fundamental components of its information protection policies into less than one page of text. This narrative (1) stated that "Information is a corporate asset ... Information must be protected according to its sensitivity, criticality and value, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed," (2) outlined the responsibilities of information owners, custodians, and users, (3) defined the organization's three data classification categories, and (4) stated that each business unit should develop an information protection program to implement these policies. The policy GAO/AIMD-98-21 Information Security Management Page 45 statement then referred the reader to a 73-page reference guide that provided definitions, recommended guidelines and procedures, explanatory discussions, and self-assessment questionnaires designed to assist business units in understanding the need for the policies and how they could be implemented. Guidelines Provide for Flexibility Although the latitude granted to business units varied, providing both policies and guidelines allowed business units to tailor the guidelines to their own individual unit's information protection needs. It also reinforced the business managers' sense of ownership of their information assets. For example, the large financial services corporation we studied had divided its information security rules into "policies" and "standards." Policies were mandatory, high-level requirements that, with rare exception, had to be followed. An example of a policy was that units were required to use commercially developed software rather than developing unique software in- house. An example of a standard at the same institution was a prescribed minimum password length. At this organization, deviations from policies had to be documented in a letter signed by both the executive of the business group requesting the deviation and the central information security group's manager. However, deviations from standards required only approval from the group's executive. Such deviations were required to be documented in a letter and, though not required, were usually approved by the central security group. All deviations had to be renewed annually. Page 46 GAO/AIMD-98-21 Information Security Management Practice 11: Support Policies Through the Central Security Group At the organizations we visited, the central security management group was responsible for developing written corporatewide policies in partnership with business managers, internal auditors, and attorneys. In addition, the central groups provided related explanations, guidance, and support to business units. Several security managers noted that business managers are much more likely to support centrally developed policies if they clearly address organizational needs and are practical to implement. For this reason, these organizations had developed mechanisms for involving other organizational components in policy documentation. Most often this involvement was in the form of reviews of policy drafts. However, the university we studied had established an information security policy committee that included top university officials, legal counsel, and representatives from student affairs, faculty affairs, and internal audit to assist in the development and review of policies. The central security management groups played an important role in ensuring that policies were consistently implemented by serving as focal points for user questions. By serving as a readily available resource for organization employees, they helped clear up misunderstandings and provided guidance on topics that were not specifically addressed in written guidance. Most organizations had also made their policies available through their computer networks so that users could readily access the most up-to-date version whenever they needed to refer to them. In addition, many organizations required users to sign a statement that they had read and understood the organization's information security policies. Generally, such statements were required from new users at the time access to information resources was first provided and from all users periodically, usually once a year. One security manager said that they thought that requiring such signed statements served as a useful technique for impressing on the users the importance of understanding organizational policies. In addition, if the user was later involved in a security violation, the statement served as evidence that he or she had been informed of organizational policies. Additional techniques for communicating information security policies are discussed in the next section on promoting awareness. GAO/AIMD-98-21 Information Security Management Page 47 |G~etting Started--Implementing Apppria Polici and Rlated 1:t :iLl~ii- iQ:t-fi0 i;;5SE;~Contr ls : EE:i:;i Lf::j;; ::i;:: Senior Program Revie~~~~~~~~~~~~~~~~~~iv existing ppolicies~~~~~~~~~~~~~~~~~~developinge i' .; newin ::::;: !: : l::: 1:rilsks aned related rinformation :protection nieeds.;X:EE:;: address current risks.urre 00 t ClOs :-Assigni responsibility to thec centratl security, group fort co|i0-ii!i;;0;itthe developmen tof written poiie s that i~j;:;|eor~diating 00 it f ; prtodrsfr period~ically updating Institt pOlicies Senior Secunty Document policies clearly so ththey can be readi nsRev i et l i to identify th ne t distinguish between GAOfficiAlM9 p fol matond g lit anages Page48 ~lte GAO/A~~~~~~~~~~~~~~~~~~a ii pment-2 S~euiys aagmn PnomtOn Assess Risk _ & Determine Needs Promote Awareness Implement Central Policies Policies &< Focal II~II1ID~1U ~~~~~~Evaluate Monitor & Controls Point "Users are much more likely to support and comply with policies if they clearly understand the purpose for the policies and their responsibilities in regard to the policies." - Information security manager for a state agency User awareness is essential to successfully implementing information security policies and ensuring that related controls are working properly. Computer users, and others with access to information resources, cannot be expected to comply with policies that they are not aware of or do not understand. Similarly, if they are not aware of the risks associated with their organization's information resources, they may not understand the need for and support compliance with policies designed to reduce risk. For this reason, the organizations we studied considered promoting awareness as an essential element of the risk management cycle. GAO/AIMD-98-21 Information Security Management Page 49 Practice 12: Continually Educate Users and Others on Risks and Related Policies The central groups we studied had implemented ongoing awareness strategies to educate all individuals who might affect the organization's information security. These individuals were primarily computer users, who might be employees; contractors; clients; or commercial partners, such as suppliers. One organization took an even broader view, targeting awareness efforts also at custodians and security guards, after a night security guard accidentally destroyed some important data while playing games on a computer after hours. The groups focused their efforts on increasing everyone's understanding of the risks associated with the organization's information and the related policies and controls in place to mitigate those risks. Although these efforts were generally aimed at encouraging policy compliance, the senior security official at the retailing company we studied emphasized the importance of improving users' understanding of risks. She said that her central security group had recognized that policies, no matter how detailed, could never address every scenario that might lead to a security incident. As a result, her overarching philosophy regarding awareness efforts was that users who thoroughly understood the risks were better equipped to use good judgment when faced with a potential security breach. For example, such employees were less likely to be tricked into disclosing sensitive information or passwords. This last point highlights one of the most important reasons for sensitizing computer users and other employees to the importance of information security. Users disclosing sensitive information or passwords in response to seemingly innocent requests from strangers either over the phone or in person can provide intruders easy access to an organization's information and systems. Such techniques, often referred to as "social engineering," exploit users' tendencies to be cooperative and helpful, instead of guarded, careful, and suspicious, when information is requested. Without adequate awareness about the risks involved in disclosing sensitive information, users may volunteer information which can allow an intruder to circumvent otherwise well-designed access controls. Page 50 GAO/AIMD-98-21 Information Security Management Practice 13: Use Attention-Getting and User-Friendly Techniques To get their message across, the central security groups used a variety of training and promotional techniques to make organizational policies readily accessible, educate users on these policies, and keep security concerns in the forefront of users' minds. Techniques used included * intranet websites that communicated and explained information security related policies, standards, procedures, alerts, and special notes; * awareness videos with enthusiastic endorsements from top management for the security program to supplement basic guidance, such as the importance of backing up files and protecting passwords; * interactive presentations by security staff to various user groups to market the services provided by the central information security group and answer user questions; and * security awareness day and products with security-related slogans. The organizations we visited avoided having once-a-year, one-size-fits-all security briefings like those seen at many federal agencies. The security managers we talked with said that it was important to relate security concerns to the specific risks faced by users in individual business groups and ensure that security was an everyday consideration. GAO/AIMD-98-21 Information Security Management Page 51 Case Example - Coordinating Policy Development and Awareness Activities After experiencing a significant virus infection in 1989, the retailing company we studied assigned one of its managers to step up efforts to promote employee awareness of information security risks and related organizational policies. Since then, this individual's responsibilities for information security policy development and awareness, which had previously been handled on a part-time basis, have evolved into a full-time "awareness manager position" in the organization's central security group. The company's response to a minor incident involving the unintentional release of company financial data illustrates the compatibility of these roles. To reduce the chances of a similar incident, the awareness manager concurrently (1) coordinated the development of a policy describing organizational data classification standards and (2) developed a brochure and guidelines to publicize the new standards and educate employees on their implementation. By coordinating policy development and awareness activities in this manner, she helps ensure that new risks and policies are communicated promptly and that employees are periodically reminded of existing policies through means such as monthly bulletins, an intranet web site, and presentations to new employees. [ AGetting ,Started--r:oimoing Awareness -Senior Prograim Demonstratei support by participating in effortsto o Oifficias prormoteinformation security awareness. Cl iOs- - Provide -adequateJfunding and isuppor to ad quaely .promte awarenessth'roughout theagency. lSenior Ser Implement ongoing awarenessstrategies to educate-all ; i rOfficers~f inldividuals who ~might impact thei orgaization's i::nforrationsecuiy Page 52 GAO/AIMD-98-21 Information Security Management Assess Risk & Determine Needs Monitor and Evaluate Implement Central Policy and Control Policies & Controls Focal Point ULIDIDEI Effectiveness _ Promote Awareness As with any- type of business activity, information security should be monitored and periodically reassessed to ensure that policies continue to be appropriate and that controls are accomplishing their intended purpose. Over time, policies and procedures may become inadequate because of changes in threats, changes in operations, or deterioration in the degree of compliance. Periodic assessments or reports on activities can be a valuable means of identifing areas of noncompliance, reminding employees of their responsibilities, and demonstrating management's commitment to the security program. The organizations we studied had recognized that monitoring control effectiveness and compliance with policies is a key step in the cycle of managing information security. Accordingly, they monitored numerous factors associated with their security programs, and they used the results to identify needed improvements. They used various techniques to do this, and several mentioned their efforts to identify, evaluate, and implement new, more effective tools as they become available. Such tools include software that can be used to automatically monitor control effectiveness and information systems activity. In addition, several of the security managers we met with expressed interest in improving their ability to more precisely measure the costs and benefits of security-related activities so that their organizations could better determine which controls and activities were the most cost effective. GAO/AIMD-98-21 Information Security Management Page 53 Practice 14: Monitor Factors that Affect Risk and Indicate Security Effectiveness The organizations focused their monitoring efforts primarily on (1) determining if controls were in place and operating as intended to reduce risk and (2) evaluating the effectiveness of the security program in communicating policies, raising awareness levels, and reducing incidents. As discussed below, these efforts included testing controls, monitoring compliance with policies, analyzing security incidents, and accounting for procedural accomplishments and other indicators that efforts to promote awareness were effective. Testing the Effectiveness of Controls Directly testing control effectiveness was cited most often as an effective way to determine if the risk reduction techniques that had been agreed to were, in fact, operating effectively. In keeping with their role as advisors and facilitators, most of the security managers we met with said that they relied significantly on auditors to test controls. In these cases, the central security management groups kept track of audit findings related to information security and the organization's progress in implementing corrective actions. However, several of the central security groups also performed their own tests. For example, the central security group at the university we studied periodically ran a computer program designed to detect network vulnerabilities at various individual academic departments and reported weaknesses to department heads. A subsequent review was performed a few months later to determine if weaknesses had been reduced. The central security manager told us that she considered the tests, which could be performed inexpensively by her staff, a cost-effective way to evaluate this important aspect of security and provide a service to the academic departments, which were ultimately responsible for the security of their departments' information and operations. Several organizations periodically tested system and network access controls by allowing designated individuals to try to "break into" their systems using the latest hacking techniques. This type of testing is often referred to as penetration testing. The individuals performing the tests, which at various organizations were internal auditors, contractors, student interns, or central security staff, were encouraged to research and use hacking instructions and tools available on the Internet or from other sources in order to simulate attacks from real hackers. By allowing such tests, the organizations could readily identify previously unknown vulnerabilities and either eliminate them or make adjustments in computer and network use to lessen the risks. Page 54 GAO/AIMD-98-21 Information Security Management One organization had performed annual tests of its disaster recovery plan to identify and correct plan weaknesses. A recent test was particularly effective because it involved a comprehensive simulation of a real disaster. The test involved staging a surprise "bomb scare" to get employees, who were unaware that the threat was a pretense, to evacuate the building. After the employees had evacuated, they were told that they were participating in a test, that they were to assume that a bomb had actually destroyed their workplace, and to proceed with emergency recovery plans. The test, which was organized by the agency's contingency planning group, proved extremely successful in identifying plan weaknesses and in dramatically sensitizing employees to the value of anticipating and being prepared for such events. Monitoring Compliance With Policies and Guidelines All of the organizations we studied monitored compliance with organizational policies to some extent. Much of this monitoring was achieved through informal feedback to the central security group from system admirnistrators and others in other organizational units. However, a few organizations had developed more structured mechanisms for such monitoring. For example, the utility company included in our study developed quarterly reports on compliance with organizational policies, such as the number of organizational units that had tailored their own information protection policies as required by corporate-level policy. Also, several organizations said that they had employed self-assessment tools, such as the Computer Security Institute's "Computer Security Compliance Test," to compare their organization's programs to pre- established criteria. Accounting For and Analyzing Security Incidents Keeping summary records of actual security incidents is one way that an organization can measure the frequency of various types of violations as well as the damage suffered from these incidents. Such records can provide valuable input for risk assessments and budgetary decisions. Although all of the organizations we studied kept at least informal records on incidents, those that had formalized the process found such information to be a valuable resource. For example, at the nonbank financial institution we studied, the central security manager kept records on viruses detected and eradicated, including estimates of the cost of potential damage to computer files that was averted by the use of virus detection software. This information was then used to justify annual budget requests when additional virus detection software was needed. However, as discussed in the following case GAO/AIMD-98-21 Information Security Management Page 55 example, the university we studied had developed the most comprehensive procedures for accounting for and analyzing security incidents. Case Example: Developing an Incident Database The central security group at the university we studied had developed a database that served as a valuable management tool in monitoring problems, reassessing risks, and determining how to best use limited resources to address the most significant information security problems. The database accounted for the number of information security incidents that had been reported, the types of incidents, and actions taken to resolve each incident, including disciplinary actions At the time of our visit, in February 1997, incidents were categorized into 13 types, which generally pertained to the negative effects of the violations. Examples included denial of service, unauthorized access, data compromise, system damage, copyright infringement, and unauthorized commercial activity. By keeping such records, the central group could develop monthly reports that showed increases and decreases in incident frequency, trends, and the status of resolution efforts. This, in turn, provided the central security group a means of (1) identifying emerging problems, (2) assessing the effectiveness of current policies and awareness efforts, (3) determining the need for stepped up education or new controls to address problem areas, and (4) monitoring the status of investigative and disciplinary actions to help ensure that no individual violation was inadvertently forgotten and that violations were handled consistently. The means of maintaining the database and the details that it contained had changed as the number of reported incidents at the university had grown-from 3 or 4 a month in 1993 to between 50 and 60 a month in early 1997-and as the database's value as a management tool became more apparent. Records originally maintained in a paper logbook had been transferred to a personal computer, and information on followup actions had recently been expanded. The university's senior security officer noted that the database could be augmented to provide an even broader range of security management information. For example, while the university did not develop data on the actual cost of incidents, such as the cost of recovering from virus infections, the database could be used to compile such information, which would be useful in measuring the cost of security lapses and in determining how much to spend on controls to reduce such lapses. Page 56 GAO/AIMD-98-21 Information Security Management Monitoring the Effectiveness of the Central Security Management Group Several of the central security groups had developed measures of their own activities, outputs, and expertise as an indication of their effectiveness. Examples of these items included * the number of calls from users, indicating knowledge of and respect for security specialists; * the number of security-related briefings and training sessions presented; * the number of risk assessments performed; * the number of security managers and systems administrators who were Certified Information System Security Professionals; and * the number of training courses and conferences held or attended. Emerging Interest in More Precisely Measuring Cost and Benefits Several of the security managers we met with expressed an interest in developing better measurement capabilities so that they could more precisely measure the ultimate benefits and drawbacks of security-related policies and controls-that is, the positive and negative impacts of information security on business operations. However, they said that such measurements would be difficult because it is costly to do the research and recordkeeping necessary to develop information on (1) the full cost of controls-both the initial cost and operational inefficiencies associated with the controls-and (2) the full cost of incidents or problems resulting from inadequate controls. Further, as discussed previously regarding risk assessment, actual reductions in risk cannot be precisely quantified because sufficient data on risk factors are not available. In an effort to more thoroughly explore this topic, we expanded our discussions beyond the eight organizations that were the primary subjects of our study by requesting the Computer Security Institute to informally poll its most active members on this subject. We also discussed assessment techniques with experts at NIST. Although we identified no organizations that had made significant progress in applying such measures, we found that more precisely measuring the positive and negative effects of security on business operations is an area of developing interest among many information security experts. For this reason, improved data and measurement techniques may be available in the future. GAO/AIMD-98-21 Information Security Management Page 57 Practice 15: Use Results to Direct Future Efforts and Hold Managers Accountable Although monitoring, in itself, may encourage compliance with information security policies, the full benefits of monitoring are not achieved unless results are used to improve the security program. Analyzing the results of monitoring efforts provides security specialists and business managers a means of (1) reassessing previously identified risks, (2) identifying new problem areas, (3) reassessing the appropriateness of existing controls and security-related activities, (4) identifying the need for new controls, and (5) redirecting subsequent monitoring efforts. For example, the central security group at the utility we studied redirected its training programs in response to information security weaknesses reported by its internal auditors. Similarly, security specialists at the manufacturing company recently visited one of the company's overseas units to assist in resolving security weaknesses identified by internal auditors. The previously cited example of using records on virus incidents to determine the need for virus-detection software also illustrates this point. Results can also be used to hold managers accountable for their information security responsibilities. Several organizations had developed quarterly reporting mechanisms to summarize the status of security-related efforts. However, the financial services corporation provided the best example of how periodic reports of results can be used to hold managers accountable for understanding, as well as reducing, the information security risks to their business units. A description of this process is provided in the following case example. Page 58 GAO/AIMD-98-21 Information Security Management Case Example: Measuring Control Effectiveness and Management Awareness At the financial services corporation we studied, managers are expected to know what their security problems are and to have plans in place to resolve them. To help ensure that managers fulfill this responsibility, they are provided self- assessment tools that they can use to evaluate the information security aspects of their operations. When weaknesses are discovered, the business managers are expected to either improve compliance with existing policies or consult with the corporation's security experts regarding the feasibility of implementing new policies or control techniques. Ratings based on audit findings serve as an independent measure of control effectiveness and management awareness. At the start of every audit, the auditors ask the pertinent business managers what weaknesses exist in their operations and what corrective actions they have deemed necessary and have planned. After audit work is complete, the auditors compare their findings with management's original assertions to see if management was generally aware of all of the weaknesses prior to the audit. The auditors then develop two ratings on a scale of 1 to 5: one rating to indicate the effectiveness of information security controls and a second rating to indicate the level of management awareness. If the auditors discover serious, but previously unrecognized weaknesses, the management awareness rating will be lowered. However, if the auditor finds no additional weaknesses, management will receive a good awareness rating, even if controls need to be strengthened. These ratings are forwarded to the CEO and to the board of directors, where they can be used as performance measures. According to the bank's central security manager, the bank chairman's goal is for all business units to have favorable ratings (4 or 5) in both categories. Such a rating system provides not only a measure of performance and awareness, but it also places primary responsibility for information security with the managers whose operations depend on it. Further, it recognizes the importance of identifying weaknesses and the risk they present, even when they cannot be completely eliminated. GAO/AIMD-98-21 Information Security Management Page 59 Practice 16: Be Alert to New Monitoring Tools and Techniques The security specialists we met with said that they were constantly on the lookout for new tools to test the security of their computerized operations. Two security managers noted that their organizations had implemented new, more sophisticated, software tools for monitoring network vulnerabilities. However, several security managers said that the development of automated monitoring tools is lagging behind the introduction of new computer and network technologies and that this has impaired their efforts to detect incidents, especially unauthorized intrusions. Similarly, as discussed previously, managers are looking for practical techniques for more precisely measuring the value of security controls and obtaining better data on risk factors. In such an environment, it is essential that (1) security specialists keep abreast of developing techniques and tools and the latest information about system vulnerabilities and (2) senior executives ensure they have the resources to do this. Several security managers told us that, in addition to reading current professional literature, their involvement with professional organizations was a valuable means of learning about the latest monitoring tools and research efforts. Examples of such organizations included the Computer Security Institute, Information Systems Security Association, the Forum of Incident Response and Security Teams, and less formal discussion groups of security professionals associated with individual industry segments. Several security managers said that by participating in our study, they hoped to gain insights on how to improve their information security programs. Page 60 GAO/AIMD-98-21 Information Security Management GettingcStartedd--:Monoring and Evaluating Policy-and Control : Efectienessi SeniorProa Determine what aspects of infom tion, secri ty are Off:0 icials: important tolmissionrirelated opeion d -i dicators itomonitor the effectiveness f;ra:ted I cotrols. 7: .lOs Include securty-related-perfor-mance(measureswhen Abb jdeveloping . infor:tion technology iperormane measures.~~~~~~~omncaPletninj;. -Senior Security. -.;:Establish: a reporting..-system -to account-for the number and typebof incidents and related: costs. ... Establish esng a daIprogr evlaitfor key areas .and idictors of s cu rieffectiveness. f.i; : ';i;0020 A i .0::'Li5'T; -:; it!E~i'Sl: L iN~iL~d,;::;:X: :0St.! ::: D 0 :; ,; i.: t:E~tC, ..:.0 ... ... .... .404 Develop;a mechanism forreporing eva ua ion result to key business managers and others Jiwho can act to, address problems. Become an active participantl inprofessional associationsa and industry discussion groups in order to keep abreast of the latest monitoring toolsand techniques- GAO/AIMD-98-21 Information Security Management Page 61 Conclusion "We are on the verge of a revolution that is just as profound as the change in the economy that came with the industrial revolution. Soon electronic networks will allow people to transcend the barriers of time and distance and take advantage of global markets and business opportunities not even imaginable today, opening up a new world of economic possibility and progress. Vice President Albert Gore, Jr., in the Administration's July 1997 report, A Framework For Global Electronic Commerce To achieve the benefits offered by the new era of computer interconnectivity, the federal government, like other organizational entities and individuals, must find ways to address the associated security implications. Individual security controls and monitoring tools will change as technology advances, and new risks are likely to emerge. For this reason, it is essential that organizations such as federal agencies establish management frameworks for dealing with these changes on an ongoing basis. Developing an information security program that adheres to the basic principles outlined in this guide is the first and most basic step that an agency can take to build an effective security program. In this regard, agencies must continually (1) explore and assess information security risks to business operations, (2) determine what policies, standards, and controls are worth implementing to reduce these risks, (3) promote awareness and understanding among program managers, computer users, and systems development staff, and (4) assess compliance and control effectiveness. As with other types of internal controls, this is a cycle of activity, not an exercise with a defined beginning and end. By instituting such a management framework, agencies can strengthen their current security posture, facilitate future system and process improvement efforts, and more confidently take advantage of technology advances. Page 62 GAO/AIMD-98-21 Information Security Management Appendix I GAO Guides on Information Technology Management Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997) Measuring Performance and Demonstrating Results of Information Technology Investments Exposure Draft (GAO/AIMD-97-163, September 1997) Business Process Reengineering Assessment Guide (GAO/AIMD-10.1.15, April 1997, Version 3) Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT Investment Decision-making (GAO/AIMD-10.1.13, February 1997, Version 1) Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology (GAO/AIMD-94-115, May 1994) GAO/AIMD-98-21 Information Security Management Page 63 Appendix 11 NIST's Generally Accepted Principles and Practices for Securing Information Technology Systems To provide a common understanding of what is needed and expected in information technology security programs, NIST developed and published Generally Accepted Principles and Practices for Securing Information Technology Systems in September 1996. Its eight principles are listed below. 1. Computer Security Supports the Mission of the Organization 2. Computer Security Is an Integral Element of Sound Management 3. Computer Security Should Be Cost-effective 4. Systems Owners Have Security Responsibilities Outside Their Own Organizations 5. Computer Security Responsibilities and Accountability Should Be Made Explicit 6. Computer Security Requires a Comprehensive and Integrated Approach 7. Computer Security Should Be Periodically Reassessed 8. Computer Security Is Constrained by Societal Factors Page 64 GAO/AIMD-98-21 Information Security Management Appendix III Major Contributors to This Executive Guide Accounting and Jean Boltz, Assistant Director, (202) 512-5247 Information Michael W. Gilmore, Information Systems Analyst Management Ernest A. Doring, Senior Evaluator Division Washington, D.C. GAO/AIMD-98-21 Information Security Management Page 65 GAO Reports and Testimonies on Information Security (Issued since September 1993) Social Security Administration: Internet Access to Personal Earnings and Benefits Information (GAO/T-AIMD/HEHS-97-123, May 6, 1997) IRS Systems Security and Funding: Employee Browsing Not Being Addressed Effectively and Budget Requests for New Systems Development Not Justified (GAO/T-AIMD-97-82, April 15, 1997) IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses (GAO/T-AIMD-97-76, April 10, 1997) IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses (GAO/AIMD-97-49, April 8, 1997) High Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997) Information Security: Opportunities for Improved OMB Oversight of Agencv Practices (GAO/AIMD-96-110, September 24, 1996) Financial Audit: Examination of IRS' Fiscal Year 1995 Financial Statements (GAO/AIMD-96-101, July 11, 1996) Tax Systems Modern-ization: Actions Underway But IRS Has Not Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996) Information Security: Computer Hacker Information Available on the Internet (GAO/T-AIMD-96-108, June 5, 1996) Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996) Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/T-AIMD-96-92, May 22, 1996) Security Weaknesses at IRS' Cvberfile Data Center (GAO/AIMD-96-85R, May 9, 1996) Page 66 GAO/AIMD-98-21 Information Security Management Tax Systems Modernization: Management and Technical Weaknesses Must Be Overcome To Achieve Success (GAO/T-AIMD-96-75, March 26, 1996) Financial Management: Challenges Facing DOD in Meeting the Goals of the Chief Financial Officers Act (GAOIT-AID-96-1, November 14, 1995) Financial Audit: Examination of IRS' Fiscal Year 1994 Financial Statements (GAO/ AIMD-95-141, August 4, 1995) Federal Familv Education Loan Information System: Weak Computer Controls Increase Risk of Unauthorized Access to Sensitive Data (GAO/AIMD-95-117, June 12, 1995) Department of EnergW: Procedures Lacking to Protect Computerized Data (GAO/AIMD-95-118, June 5, 1995) Financial Management: Control Weaknesses Increase Risk of Improper NavM Civilian Payroll Payments (GAO/AIMD-95-73, May 8, 1995) Information Superhighway: An Overview of Technology Challenges (GAO/AIMD-95-23, January 23, 1995) Information Superhighwav: Issues Affecting Development (GAO/RCED-94-285, September 30, 1994) IRS Automation: Controlling Electronic Filing Fraud and Improper Access to Taxpaver Data (GAO/T-AIMD/GGD-94-183, July 19, 1994) Financial Audit: Federal Family Education Loan Program's Financial Statements for Fiscal Years 1993 and 1992 (GAO/AIMD-94-131, June 30, 1994) Financial Audit: Examination of Customs' Fiscal Year 1993 Financial Statements (GAO/AIMD-94-119, June 15, 1994) Financial Audit: Examination of IRS' Fiscal Year 1993 Financial Statements (GAO/AIMD-94-120, June 15, 1994) HUD Information Resources: Strategic Focus and Improved Management Controls Needed (GAO/AIMD-94-34, April 14, 1994) Financial Audit: Federal Deposit Insurance Corporation's Internal Controls as of December 31. 1992 (GAO/AIMD-94-35, February 4, 1994) GAO/AIMD-98-21 Information Security Management Page 67 Financial Management: Strong Leadership Needed to Improve Army's Financial Accountability (GAO/AIMD-94-12, December 22, 1993) Communications Privacy: Federal Policy and Actions (GAO/OSI-94-2, November 4, 1993) Document Security: Justice Can Improve Its Controls Over Classified and Sensitive Documents (GAO/GGD-93-134, September 7, 1993) IRS Information Systems: Weaknesses Increase Risk of Fraud and Impair Reliability of Management Information (GAO/AIMD-93-34, September 22, 1993) Page 68 GAO/AIMD-98-21 Information Security Management Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Supenintendent of Documents, when necessary. Visa and Mastercard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using FAX number (202) 512-6000, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (301) 258-4097 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: firstname.lastname@example.org United States Bulk Rate General Accounting Office Washington, D.C. 20548-0001 Postage & Fees Paid GAO Official Business Permit No. G100 Penalty for Private Use $300 Address Correction Requested
Executive Guide: Information Security Management: Learning From Leading Organizations (Exposure Draft) (Superseded by AIMD-98-68)(Superseded by AIMD-00-21.2.8)
Published by the Government Accountability Office on 1997-11-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)