What is the best practice approach that can help create a solid framework for establishing Information Security policies, procedures and practices?
One needs to recognize the various aspects of information security as enunciated in COBIT and other world-wide standards and understand the impact of data privacy laws on information security.
Information security is
- the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
- the balanced protection of the confidentiality, integrity and availability of data without hampering organization productivity.
- a multi-step risk management process that identifies assets, threat sources, vulnerabilities, potential impacts, and possible controls, followed by assessment of the effectiveness of the risk management plan.
Data protection and privacy is an integral part of Information security measures.
- Wherever personal identifiable information or sensitive data is collected, stored, used and finally deleted or destroyed, privacy issues arise if there are improper controls or insufficient disclosures on how the processes are handled.
- Information from sources such as financial records, credit card information, healthcare, payroll information, social security numbers, Aadhar card information, biological traits, geographic locations and residence, voting preferences, religious background information, web-surfing behaviour, etc. all fall within the purview of personal data that is subject to privacy laws in various degrees.
- Several laws prevail in different countries on ensuring data privacy and protection – the latest and most comprehensive one being the GDPR for EU nations.
The COBIT framework for Information Security by ISACA states 5 important points to be followed.
- Meeting stakeholder needs.
- Covering the enterprise end-to-end.
- Applying a single integrated framework.
- Enabling a holistic approach.
- Separating governance from management.
MEETING STAKEHOLDER NEEDS
Stakeholders at different levels expect different fulfillment of requirements. These business objectives must be translated into IT related goals that would enable achievement of the business goals. Top level stakeholders start with the Board of Directors, CEO, CFO, followed by the CIO, CTO, CISO. Next level could be security managers and system administrators – followed by end-users.
A top-down approach is the most sustainable and successful approach because it ensures
- Clearly laid out policies, procedures and timelines
- Dedicated funding and clear planning
- Determine who is accountable for each of the processes
- Enforcing change management throughout the organization for smooth adoption.
COVERING THE ENTERPRISE END-TO-END
- One has to start understanding elements of the Information system – this comprises hardware, networks, software, databases, people and procedures connected therewith.
- Next comes the evaluation of vulnerability and checking the adequacy of controls established for network security, WiFi networks, firewalls, the perimeters of your system landscape.
- Recognize the impact of laws related to data protection and privacy in the locations where your business operates or intends to operate.
- The IT department in the organization should aim to cover all functions and processes of the business – include internal and external access to processes.
- All information and the related technologies to be treated as “assets” just like any other asset in the business. Information is the “crown jewel” of your organization and must be protected at all times.
- Threat evaluation is not just limited to the periphery of your system landscape – but more importantly
- continuous, real-time monitoring of business application activities done by people, remote calls between two systems, external threats and attacks, identify social engineering tactics, etc.
- Providing end users adequate authorization, ensuring no or minimal segregation of duties risks, masking of sensitive information for unauthorized users in compliance with privacy laws.
- recognizing patterns of logs in the normal course and finding out anomalies, identify attacks done by external or internal users (pseudonymize users during investigation).
- Cyber security professional watching over a consolidated cockpit that integrates all events and logs for meaningful interpretation and action.
APPLYING A SINGLE INTEGRATED FRAMEWORK
COBIT 5 for Information Security provides an overarching governance and management framework that provides best standards and practices to be adopted. COBIT encompasses many models such as ITIL, ISO/IEC 27000 series, the ISF Standard of Good Practice for Information Security and US National Institute of Standards and Technology (NIST) SP800-53A.
While evaluating a single integrated framework, one should keep in mind a holistic approach that can be broken down into achievable programs that suit the organization in the short, medium and long term. A non-technical discussion on the requirements must precede before looking at technical solutions that would address the pain points faced by different stakeholders.
ENABLING A HOLISTIC APPROACH
COBIT recommends a holistic approach that takes into account the following:
- Considers Principles, policies and frameworks
- Looks at processes, organizational structures, culture, ethics and behaviour.
- Deals with all information produced and used by the enterprise.
- Includes all the infrastructure, services and applications that provide the enterprise with IT processing.
- Ensures people, skills and competencies are available for successful completion of all activities and taking corrective decisions.
SEPARATING GOVERNANCE FROM MANAGEMENT
These two disciplines involve different activities that may serve different purposes applicable for different departments or organizations.
- Governance is the responsibility of the Board and top management.
- Management is the responsibility of the executive management under the leadership of the CEO or CFO, etc.
While governance sets the tone at the top for agreed objectives, prioritization and decision making, management has to plan, build, run and monitor the activities in alignment with the governing body.