The Citadel Way to Information Security Management · The Citadel Way to Information Security Management A Management Guide Page 4 Information Security Success Strategies — The

Citadel Information Group 323-428-0441 [email protected] Citadel-Information.com

The Citadel Way to Information Security Management

… A Management Guide by

Stan Stahl, Ph.D. Kimberly Pease, CISSP David Lam, CISSP, CPP

April 2017 © Copyright 2016. Citadel Information Group, Inc. All Rights Reserved.

FREE Award-Winning Weekly Cyber Security Newsletter & Vulnerability Report delivered to your in-box. Sign up at Citadel-Information.com

The Citadel Way to Information Security Management A Management Guide

Page 2

The Citadel Way to Information Security Management

The Objective of Information Security Management is to Manage Information Risk

• Cyber Fraud

• Business Email Compromise

• Information Theft

• Ransomware

• Denial of Service Attack

• Regulatory compliance

• Disaster Information Risk Impacts Business Risk

• Loss of Money

• Loss of Brand Value

• Loss of Competitive Advantage Information Risk Measures

• Thirty percent (30%) of cybercrime victims are smaller organizations

• Sixty percent (60%) of these victims are out of business within 6 months

• Eighty percent (80%) of these breaches are preventable with basic security management Managing information risk means ensuring four things

1. The confidentiality and privacy of sensitive information 2. The integrity of information and data 3. The availability of critical information 4. The authenticity of communications

The number one thing at the Board level and CEO level is to take cybersecurity as

seriously as you take business operations and financial operations. It’s not good enough

to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions

and understand the answers.

Major Gen Brett Williams, U.S. Air Force (Ret)

This Week with George Stephanopoulos, December 2014


Page 3

The Context of Information Security Management

Information security management augments insurance and other forms of risk transfer. It also takes place in the legal context of commercial reasonableness.

The Information Security Management Chain

Managing the security of information hinges on five security management capabilities: 1

1. Identify: what information needs to be protected and where it is located 2. Protect: that information 3. Detect: information attacks and other incidents 4. Respond: to information attacks and other incidents, especially successful attacks 5. Recover: from the incident, returning back to normal operations

The information security management community has begun referring to these capabilities as information resilience: The ability of an organization to continue to provide an acceptable level of performance throughout all phases of the management chain, particularly respond and recover.

1 NIST Cybersecurity Framework 1.0, February 12, 2014, Updated December 5, 2014


Page 4

Information Security Success Strategies — The Critical Seven

The following seven critical success strategies are vital in implementing a successful formal risk-driven Information Security Management Program.

1. Put someone in-charge. Establish leadership. Information Security Manager / Chief Information Security Officer. a. C-Suite and Board Governance b. Independent Perspective from CIO or Technology Director c. Supported by Cross-Functional Leadership Team d. Supported with Subject-Matter Expertise

2. Implement formal risk-driven information security policies and standards. 3. Identify, document and control sensitive information. 4. Train and educate personnel. Change culture. 5. Manage 3rd-party security. 6. Manage IT Infrastructure from an “information security point of view” in accordance

with standards 7. Be prepared. Incident response. Business continuity planning.

The Vital Role Played by Information Security Management Policies and Standards

Information Security Management Policies and Standards are the key strategic management framework supporting commercially-reasonable information security management practices for small and medium-sized organizations. An organization’s Information Security Management Policies and Standards serve to:

1. Establish management’s commitment to securing critical information assets

2. Establish uniform organizational standards for securing critical information assets

3. Provide guidance to managers and other employees as to their information security responsibilities, obligations and duties

4. Provide standards for use by IT personnel in securely configuring and maintaining the IT Infrastructure

5. Provide an information security baseline for establishing adequate protection of an organization’s intellectual property, trade secrets and other proprietary firm information


Page 5

6. Be aspirational, providing actionable guidance to an organization as it evolves its own unique information security management program

7. Support the all-important objective of creating an information security-aware culture 2 Information Security Policies and Standards also meet emerging information security laws, regulations and contractual requirements for information security policies. Information security policies are required, for example, by the following:

1. Federal laws, such as HIPAA and Gramm-Leach-Bliley which require the protection of personal health and financial information

2. Payment Card Industry Data Security Standard requiring the protection of card information

3. California Civil Code 1798.81.5 requiring California business to implement reasonable information security measures to protect personal information belonging to California citizens

4. The Federal Trade Commission (FTC) security and privacy regulations 5. Breach disclosure laws in several states

Citadel’s Information Security Management Policies and Standards are based upon industry standard frameworks such as ISO 27001 and ISO 27002, the National Institute of Standards Information Security Management Framework, the Payment Card Industry’s Data Security Standard, as well as HIPAA HITECH, GLB and other applicable Federal and State laws and regulations.

Information Security Management Policies Citadel’s Information Security Management Policies are high-level statements of organizational and management responsibilities. These are purposefully minimal so as to provide the greatest flexibility to an organization’s attorneys in crafting the broader set of information security policies required by laws and regulations. Policy 2, for example reads

2. We are committed to securing the sensitive information in our possession in accordance with these legal, ethical, moral and other responsibilities. We understand that we must secure this information to ensure confidentiality,

2 Beyond Information Security Awareness Training: It’s Time to Change the Culture, Stan Stahl, Ph.D., Information Security Management Handbook, Sixth Edition, edited by Hal Tipton and Micki Krause, Auerbach, 2006.

Policies define the rules.

Standards set the bar.


Page 6

integrity and availability and we will secure information proportionate to the harm its loss could cause us, our clients, our staff and the community.

As another example, Policy 4 reads in part:

4. Working in collaboration with the Information Security Manager, each Department is responsible for managing the security of the information it generates and uses. Department managers are expected to

i. identify, classify and control their information in accordance with the harm that would result from a loss of confidentiality, integrity or availability;

Information Security Management Standards Citadel’s Information Security Management Standards, in contrast to Policies, are designed to be specific actionable requirements to be implemented by management, users and IT. And, unlike policies which are obligatory, standards are aspirational. As an illustration of a management standard, the following — from Section 2.3 of Citadel’s Information Security Policies and Standards — explicitly describes “how” an organization uses the Information Security Management Steering Committee to accomplish its information security management objectives. 3

The ISM (Information Security Manager) in collaboration with senior management is to create an Information Security Management Steering Committee to provide organizational management and leadership. The ISM together with the most senior-IT staff-member are members of the Steering Committee. Other Steering Committee members will be selected as appropriate to our ‘natural’ organizational structure. The objectives of the Information Security Management Steering Committee are to

• Assist the ISM advance our implementation of these policies and standards

• Work with the ISM to strengthen these standards as circumstances might require

• Provide organizational leadership to create and evolve an information security aware culture

3 See the next section for more information on the all-important Steering Committee.


Page 7

The ISM chairs the Information Security Management Steering Committee. The Steering Committee is to meet on a regular basis, at least monthly.

Technical security management standards are designed to be explicitly actionable as in the following samples from Section 7 of our Information Security Management Policies and Standards.

7.1.2.2 Change vendor default passwords. Vendor-supplied defaults for system passwords and other security parameters, such as passwords, Simple Network Management Protocol [SNMP] community strings, and unnecessary accounts, are to be removed.

7.1.4.4 Information to be logged. At a minimum, the following is to be logged for each audited event on each system: user identification, type of event, event time, success or failure indication, origination of event, and identity or name of affected data, system component, or resource.

7.2.2.4 Enterprise-level patch management must be in place

IT will implement an enterprise-level patch management system to include both automation of patch application and scanning for vulnerabilities/missing patches with a system such as Nessus.

7.3.1.5 Individual access is granted on job need and information Owner authorization.

IT is to limit access to restricted systems and information to only those individuals whose job requires such access, as determined by the information Owner; deny-all is to be the default position when assigning permissions.

7.5.1.1 Backup and recovery must be implemented.

IT is to establish and implement systematic procedures, approved by the ISM, for performing backups of all servers which the ISM specifies as requiring backup. These procedures are to ensure that all critical information is correctly backed-up, support data recovery, and implement policy for recording, retention, and destruction of information in systems.

7.6.4.3 Obtain continuing cyber security professional education.

IT personnel are expected to obtain continuing cyber security professional education to stay current on the latest trends in information security.


Page 8

Citadel’s Information Security Policies and Standards — Table of Contents


Page 9

The Information Security Management Steering Committee

Since everyone has a role to play in securing information, information security management must encompass the entire organization. In this sense, information security management must be managed as a cross-functional responsibility. This is the function of the Information Security Management Steering Committee. Different organizational structures will call out for different people to be the information security manager and serve on the steering committee. The following table provides a few illustrations. Treat them as illustrations for what you may wish to do in your company.

Organizational Type Information Security Manager Steering Committee

eCommerce Chief Operating Officer HR Director CFO Other Department Heads IT Director Director of SW Development

Professional Services Partner-in-Charge of IT Other Department Heads Chief Operations Officer IT Director

Manufacturing / Distribution Company

CFO Chief Operating Officer Other Department Heads HR Director IT Director

Medium-Size Non-Profit

CFO Director of Operations / Programs Director of Development HR Director IT Director

The idea is to have people on the Steering Committee who ‘touch’ (i) users, (ii) core business processes and (iii) management of the technology infrastructure.


Page 10

Getting Started: The Initial Assessment

Citadel works with a vast diversity of different companies in different industries, different information security needs and different cultures. As a result, we have learned how to be very flexible in delivering information security services. Nowhere is this flexibility more important than at the beginning of an engagement with a new organization. Some organizations already have in place the elements of an Information Security Management System. The starting point for these organizations is a top-to-bottom assessment designed to provide an actionable set of findings and recommendations across the entire organization. The objective is to put together an appropriate assessment, deep enough to get actionable findings and recommendations while still sufficiently cost-effective to avoid diminishing returns. In situations that are common in many small and medium-sized organizations, the organization will have a degree of information security management in IT but will not yet have begun to implement the other elements of information security management. A natural starting point for these organizations is to combine an assessment of IT security management with implementing basic “corporate-level” information security management, as described in Sections 1-6 of our Information Security Management Policies and Standards. Either way, the important thing is to just get moving.

The Three Phases of Information Security Management

Phase 1: Build Information Security Management Foundation During Phase 1, management attention is focused on getting management control and the necessary basics in place. It is intended to be short-term 2-3 months.

• Establish leadership

• Institute Policies and Standards

• Provide Staff Awareness Training

• Conduct Information Risk Assessment, focusing on security management of the IT network

• Present Findings and Recommendations to Management Phase 2 Grow Discipline: Implement Information Security Management Practices During Phase 2, the organization puts in place basic information security practices.

• Establish Steering Committee

If you don’t know

where you are, a map

won’t help ... Chinese

Proverb.


Page 11

• Establish Governance Support and Oversight

• Plan Information Security Management Implementation

• Implement Findings from Information Risk Assessment

• Identify, document and Control Sensitive Information

• Implement 3rd-Party & Vendor Security Management

• Incident Response / Business Continuity Management

• Conduct Quarterly Reviews & Scans

• Conduct Annual Information Security Risk Assessment

• Conduct Annual Information Security Management Plan

• Support Business Development / Customer Security Reviews A natural transition point between Phase 2 and Phase 3 is the development of an Information Security Management Dashboard. It’s natural for Phase 2 to take 9 - 12 months, or even substantially longer, depending on the availability of resources and the aggressiveness of the organization. Phase 3 Steady-State: Continuous Improvement Information security management requires continuous performance improvement so as to identify and respond to

1. Changes in the threat environment, laws and regulations and their impact on an organization’s associated risk profile

2. The availability of new and improved countermeasures 3. Discovered weaknesses in existing countermeasures

ISO 27001 explicitly formalized continuous improvement in its 2005 release when it introduced the concept of an Information Security Management System (ISMS): 4

that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. … The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

To manage ongoing continuous improvement, Citadel has developed and uses a powerful easy-to-use proprietary methodology called the Spiral Model of Continuous Information Security Management Improvement.

4 ISO/IEC 27001:2013 - Information technology -- Security techniques -- Information security management systems

-- Requirements". International Organization for Standardization.


Page 12

As illustrated in the following diagram, there are four basic steps to the Spiral Model:

1. Assess the situation 2. Decide what to do to improve the situation 3. Plan the improvement project 4. Implement the improvement plan

Implement

Information Security

Improvement Plan

Assess Current


Capabilities and

Needs

Decide Information

Security Improvement

Objectives

Plan Information

Security Improvement

Implementation


Management System

Continuous

Improvement


Requirements &

Expectations

The Spiral Model of Continuous Information Security Management Improvement is based upon several performance improvement models. These include

1. W. Edwards Deming’s famous Plan-Do-Check-Act methodology for improving manufacturing systems, found also in ISO 27001

2. The OODA loop—observe, orient, decide, act—that emerged in studies of fighter pilots 3. A risk-driven spiral model for systems and software engineering developed at TRW in

the 1980s 5 Like all of these models, Citadel’s Spiral Model embraces the fundamental human improvement cycle: Action, Feedback, Synthesis.

5 Boehm B, "A Spiral Model of Software Development and Enhancement", ACM SIGSOFT Software Engineering Notes, ACM, 11(4):14-24, August 1986 and IEEE Computer, IEEE, 21(5):61-72, May 1988. Citadel’s Dr. Stahl worked with Dr. Barry Boehm at TRW during the time when Boehm was developing his software engineering spiral model.


Page 13

Summary — The Citadel Way

The Objective of Information Security Management is to manage the business risk associated with the confidentiality, integrity, availability and authenticity of information. To do so, an organization needs to implement a formal risk-driven Information Security Management Program including the following seven critical success strategies.

1. Information Security Manager / Chief Information Security Officer 2. Implement formal risk-driven information security policies and standards 3. Identify, document and control sensitive information 4. Train and educate personnel. Change culture. 5. Manage 3rd-party security 6. Manage IT Infrastructure from an “information security point of view” 7. Be prepared. Incident Response and Business Continuity Planning.

Information Security Policies and Standards are central to information security management success. Information Security Management Policies and Standards provide management with the necessary “what-to-do” and “how-to-do-it” in managing information security. Information security management requires disciplined ongoing management attention. Citadel’s proprietary Spiral Model of Continuous Information Security Management Improvement SM provides organizations with a structured way of achieving this.

The number one thing at the Board level and CEO level is to take cybersecurity as

seriously as you take business operations and financial operations. It’s not good enough

to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions

and understand the answers.

Major Gen Brett Williams, U.S. Air Force (Ret)

This Week with George Stephanopoulos, December 2014


Page 14

CITADEL INFORMATION GROUP Delivering Information Peace of Mind ®

to Business and the Not-for-Profit Community.

Citadel Information Group is a full service integrated information security management firm. We work consultatively or as part of a client’s senior management team to assist clients cost-effectively manage the confidentiality, privacy, integrity and availability of their information. We are particularly adept at working with small and medium-sized organizations where we often provide a combination of management expertise, technology know-how, leadership, coaching and training. As leaders in the Los Angeles information security community, we are experienced in security management best practices such as ISO 27001-02, the NIST Framework, the Center for Internet Security, CISSP, CISM, ITIL® and six-sigma as well as compliance requirements such as HIPAA HITECH, GLBA, SEC, PCI DSS and Breach Disclosure.

Information Security Management Services

Chief Information Security Officer Services Information Security Policies and Standards

3rd-Party Vendor Information Security Management Information Security Strategy Development Information Security Management Planning

Information Security Reviews and Assessments Board & C-Suite Education Secure IT Network Design

IT Network Vulnerability Testing Website Security Test and Evaluation

Staff Awareness Training Phishing Defense Training IT Security Management

Adverse Termination Support Incident/Breach Response Services, including Forensics

Information Continuity / Disaster Recovery Planning


Page 15

What Some of Our Satisfied Clients Say About Us

You threw me a lifesaver and pulled me in when I was surrounded by sharks. I’ll never forget that. …

Donna Nakawaki, CFO, Rem Eyewear

Thank you for the superb oversight, attention to detail, and conscientious natures you exhibit. It truly helps us all sleep better. … Kathleen Ruddy, CEO, St. Baldrick’s Foundation

What a great experience it was working with Kimberly and David, especially considering the extreme

pressure we were all under. Your efficiency, thorough understanding of business risks, acute attention to detail and professionalism ensured us a successful outcome in this intense situation. … Alex Moratorio,

CIO, Citadel client

Thank you and the Citadel team in helping us kick start our Information Security Management Plan. I have this as a standing item on our bi-weekly Leadership Team Meeting. … Lorraine F., CIO, Citadel client

Wow – what a lot of information to help us structure, safeguard and secure our most important and

confidential information. I met with our CEO this morning to briefly discuss it and she is very glad that the organization is moving in this direction. … Christy, Director of Human Resources, Citadel Client

You have a fantastic team. Working with David and Kimberly has been a great experience for all of us.

You guys have helped so much already, and we are really looking forward to what comes next. All of you have made us confident that we are in great hands. … Robert Kersnick, COO, AIA

Well, you’re a rock star, Kimberly! There have been cyber security sessions at previous AZA CFO Conferences, but several people said that this was the most informative…largely because of the

informality of it coupled with your rigorous information. In fact, several of the CFO spouses said they found it fascinating, so you were a hit with the lay audience as well! … Jeb Bonner, CFO, Greater Los

Angeles Zoo Association

You were absolutely the MVP of our conference, Stan. Our members really appreciated the conversational style of your presentation and the valuable information you shared. … Dan Terheggen,

Multifamily Broadband Council

CITADEL INFORMATION GROUP

Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community.

Please contact us for a free consultation. Benefit from our years of cyber security management experience along with our leadership in the Los Angeles cyber security community.

[email protected] 323-428-0441 www.citadel-information.com

© Copyright 2016. Citadel Information Group. All Rights Reserved.

http://www.citadel-information.com/

Documents

The Citadel Way to Information Security Management · The Citadel Way to Information Security Management A Management Guide Page 4 Information Security Success Strategies — The