Most organizations agree that information security is the responsibility of all employees, yet, many of them follow the traditional security management approach by centralizing most or all security tasks under a single group or person. In a world of distributed systems, dispersed endpoints and workforce, changing technology, and various user needs, the Information Security Management System (ISMS) must be distributed to be effective and efficient.
To their credit, most companies force a periodic security awareness training upon their employees to teach them about the security threats, their security responsibilities, and consequences of security incidents to ensure a collective understanding and risk mitigation effort. This is very important because employees who are unaware of the security risks and unintended consequences may place their companies at risk by letting strangers piggy back into the building or office, sending unprotected PII files through unprotected channels, clicking on dangerous links in emails and websites, and providing passwords or other information to imposters just to name a few examples. It is often reported that most data breaches are executed with stolen user credentials and most privileged accounts offer the best bang for the buck which confirms the importance of employee training and testing on a continuous basis.
However, staff training does not address the risk of unethical employees with highly privileged accounts who can cause real damage just before their last day of employment or even afterwards if the off-boarding process is weak leaving some departed employees with remote access to critical systems. Employee training also does not formally assign security ownership in all key areas. One way to address security accountability across the enterprise is by implementing a Distributed Information Security Management Model or DISMM.
Distributed Information Security Management Model (DISMM)
DISMM is designed to distribute information security risk management across the organization and assign specific security tasks and ownership to an Area Security Owner (ASO) across all appropriate business units and departments. In a sense, key individuals across the organization participate in security management and become quasi-security resources.
The benefits of DISMM can not be overstated for security improvement which include:
- Effective security management process
- Reduced cost of security management
- Subject Matter Expert (SME) contribution
- Formal accountability across the Enterprise
- Improved collaboration across various business teams
- Make security an enterprise priority (vs. being just an IT task)
Security Council (SC)
From a governance standpoint, DISMM proposes the establishment of a Security Council (SC) comprised of key executives and persons from across all major entities within the organization to ensure input and collective accountability from all key areas of the organization.
Having the information security group report up to a single person or group such as IT can potentially create a conflict of interest unless the CISO has an open reporting line to the Board, a committee of the Board, or the CEO . Many companies believe that since most data are digital and the IT group is responsible for managing all systems that host that data, it makes sense to have the IT team also secure the data which is true from an operations standpoint. However, IT may not want to be seen as deficient in the security controls of systems which it is responsible for managing, or may not consider security to be a priority and critical part of its operation. This is why CEOs and CIOs are also on the hook as is the CISO when there is a data breach because they failed to address the governance aspect of information security and consolidated data security management under a single operations manager who can hide or ignore security management needs and weaknesses.
The main duties of the SC include:
- Approve the Information Security (IS) mission, program, and plans
- Understand the security posture of the organization
- Support the CISO to improve security by allocating the necessity funds and resources
- Empower the CISO within the organization as the authority for managing security
- Reach out to key executives to mitigate high risk security gaps
Chief Information Security Officer (CISO)
DISMM requires the designation of an independent person as Chief Information Security Officer (CISO). The CISO may report to a single person for administrative purposes, however, to avoid even the slightest appearance of a conflict of interest, the CISO must be independent from the business or IT operations and report to the Security Council for all security matters.
Main role and duties of the CISO include:
- Publish the information security mission, goals, and objectives
- Establish IS program, plans, policies and standards
- Report periodically to the SC including plans, gaps, and remediation status
- Advise and guide Area Security Owners and CISO team members
- Be the main point contact for all security matters including contract reviews
- Stay on top of latest security threats and vulnerabilities
- Notify ASOs and security staff about the latest threats and vulnerabilities to be remediated
The CISO team can be comprised of a limited number of staff depending on the size of the organization who handle the following tasks:
- Review documentation and information provided by ASOs
- Audit key security areas based on risks
- Contribute to RFP response submissions
- Respond to client/third party RFIs and audits
- Perform vendor security audits before onboarding and periodically thereafter
- Oversee incident management
- Execute annual access certification across key systems
Area Security Owners (ASO)
An ASO is an employee within a business unit who takes ownership for the security requirements of a particular area. The main duties of an Area Security Owner include:
- Commit to the information security mission of the organization
- Understand and perform key tasks assigned by the CISO team
- Create plans and procedures for ensuring the security of the assigned areas
- Identify and report challenges, security gaps, and remediation status to the CISO team on a timely basis
- Certify that security is maintained in the assigned area
This security ownership requires a mindset shift when developing and accepting job requirements. Employees must understand that security is inherently part of everything they do whether they build systems, manage the office front desk, or oversee access management. Therefore, security ownership and accountability must be formally accepted when employees accept a job offer. Unless this shift in mindset happens, we can not ensure data security comprehensively and effectively.
Key Areas for Security Ownership Consideration
An ASO can be assigned by the CISO and/or the head of the designated department. In order to accommodate workload, an ASO may or may not be responsible for the operations of the area but is nevertheless accountable for making sure security is maintained in the assigned area. For areas which may have multiple assigned ASOs such as “application security”, a Lead ASO (LASO) must be assigned to ensure all application security ASOs follow the established protocol to ensure security within each application. The following areas can be assigned to an ASO for security accountability.
- Server security (privileged accounts, file shares, configuration, patching) (IT)
- Network and related device security (Wi-Fi/Remote access/VPN/firewall, IPS/IDS, switches/routers) (IT)
- Security Operations Center (SOC) (security monitoring and incident reporting) (IT)
- Vulnerability assessment and penetration testing (IT)
- Security incident management and communication (IT-Public Relations)
- Data center security (IT)
- Disaster Recovery Plan (IT)
- Telecom security (emails, phones, file transfer, video, IM) (IT)
- Business Continuity Plan (Business)
- Building/office/desk security (Business)
- Application security (privileged accounts, access, configuration) (IT or Business)
- System/program change management (SDLC framework and compliance) (IT)
- User onboarding/off-boarding, access provisioning/deprovisioning (HR-IT)
- End point security (IT)
- Employee training and awareness (HR)
- Data security (privacy compliance, encryption) (Legal/Compliance-IT)
The above is just a proposed and initial set of key areas, tasks, and departments. The DISMM proposal may not apply in its entirety to all organizations but can be modified to meet the needs of organizations that are concerned with an effective information security program with the lowest possible cost implications.
Audit and Certification
An ASO must formally certify periodically that the security of the area meets the organizational requirements. An ASO may delegate its security duties, however, remains ultimately responsible for the security of the assigned area.
To ensure compliance with the requirements of DISMM, the CISO team is responsible for performing risk-based audits of key security areas. This task can also be assigned to the service desk which has access, technical knowledge, and independence to validate security.
If budgets allow and contractual requirements dictate, an annual third party audit and ISO 27001 certification may be warranted.