Standards of practice are great guides for organizations seeking to create and manage security policies and processes. And many auditors use standards to create relevant lists of key controls and how to apply those key controls to security efforts. Organizations benefit from these activities if management, audit, and security work closely together to ensure they enable the business. Organizations in which they operate within silos may suffer loss of productivity, hindering the organization from moving toward business objectives.The challenge
Business managers have one primary outcome: to optimize profit. All other business activities support this. Yes, many organizations give back to their communities and take very good care of their employees. But a company can do nothing if its bottom line is continuously in the red.
A business operating today faces a significant challenge never anticipated several decades ago: how to use information technology to remain competitive while protecting the storage and movement of electronic intellectual property and sensitive personal information. The role of IS security and the auditors (both internal and third-party) is to enable the business to realize this objective.
Security teams and auditors typically select one or more standards of practice to assist in selecting the right controls. When not properly managed, this selection and implementation process may:
- Hinder the organization's advance toward its strategic, tactical, and operational objectives; and
- Create a rift between IS security and audit that nurtures an environment of confrontation.
In both cases, the organization suffers.The solution
First, let's define the purpose of a standard of practice. A standard is a guideline, not a set of mandatory administrative, physical, and technical controls. Neither COBIT nor the ISO standards should be seen as having biblical weight. When properly used, a standard of practice helps security and audit ask the right questions and guide design teams.
Second, audit and security should not work from two different standards. They should work together to select and implement one or more standards of practice that make sense for their unique organization. But even when security and audit agree on the standards to use, what to implement and to what degree are often areas of contention.
Security and audit can eliminate most points of disagreement if they keep business objectives foremost in their minds. In other words, they should work together to enable the business to meet its business objectives. This isn't possible without a clear understanding of architectural requirements.
Architectures form a framework within which security and audit integrate all other solutions, including controls. They provide a starting point for discussing what controls are necessary and how to measure them. There are four basic architectures which form the basis for all security, audit, and information technology design and implementation: information, network, system, and security.
As shown in Figure 1, information architecture is derived from business requirements. It describes what information is needed, who needs it, where, and when. A well-designed information architecture enables the effective use of information to meet business objectives.
Network architecture describes how information moves and is stored within the enterprise. Included in this design are interfaces with external entities with which the organization shares data.
System architecture defines system design. It enables systems, such as financial and human resource processing systems, to process data and provide meaningful information as defined within the information architecture.
Underlying all the technology architectures—network and systems—is the security architecture. It enables use of the other architectures with assurance that information use complies with regulatory requirements as well as customer and employee privacy expectations.
All architecture designs should be compared against one or more standards of practice. This comparison, occurring during all architecture design activities, enables management, network and systems engineers, and developers to ask the right questions. The answers to these questions, including how each element of standards applies to the organization's unique environment, assist in the creation of an information processing environment possessing just the right amount of security. In other words, security protects operational activities without undue interference.
One step often missed during architectural design is definition of how to measure success. How will the organization determine whether the outcomes of the architecture designs meet expectations? Who is responsible for validating that the architectures are properly used and compliance achieved? The answer to both questions is audit. Audit control design underlies all business activities, including technology design and implementation.
The team tasked with building and maintaining architectures should include a representative from the audit team. This person is responsible for ensuring definition of key performance indicators and how to measure them. By integrating audit into the design process:
- Management, technical, and audit teams are all using the same set of standards;
- All architecture stakeholders agree on what success looks like; and
- All architecture stakeholders agree on how to measure success.
Integrating audit into technical architectures ensures key controls actually mean something. Instead of arbitrary adherence to some standard of practice, they reflect the needs of the business.The final word
Systematic implementation of business-enabling technology requires standards guidance, use of architectures for consistency, and application of audit methods to ensure outcomes. An organization in which these activities are not integrated will continually experience conflict between business management, security, and auditors. Bringing all requirements and concerns to one table for discussion and integration into architectural designs helps eliminate unproductive bickering and unnecessary controls while moving the business closer to meeting its strategic, tactical, and operational objectives.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.