A RESOURCE GUIDE FOR INFORMATION SYSTEM SECURITY OFFICERS: A Compendium of Information Security Acts, Standards, and Guidelines An integrative project submitted by Ken Fogalin to the School of Business and Technology in partial fulfillment of the requirement for the degree of MASTER OF SCIENCE in INFORMATION TECHNOLOGY - INFORMATION SECURITY SPECIALIZATION This integrative project has been accepted for the faculty of Capella University by: Professor Sharon Gagnon

Capella University Minneapolis, MN Copyright March 19, 2006 Ken Fogalin

Ken Fogalin

Digitally signed by Ken Fogalin DN: CN = Ken Fogalin, C = CA, O = Department of National Defence, OU = Directorate of Information Management Security Reason: I am the author of this document Location: Ottawa, Ontario Date: 2006.03.09 17:01:02 -05'00'

Abstract This paper serves as a single-source introductory guide to the commonly recognized and accepted national and international information security (INFOSEC) acts, standards, and guidelines. It introduces the key elements of a complete INFOSEC program as well as the role and responsibilities of Information System Security Officers (ISSOs). It provides ISSOs with an overview of the substantial security measures and best security practices that are currently available to protect their company network and help them determine if their company network is compliant with mandated acts and standards. This paper describes the INFOSEC acts, standards, and guidelines in terms of how they relate to different security issues such as governance, privacy, and protection of critical assets. In addition to providing a broad overview of each security reference, this paper also provides a qualitative assessment of the particular security references in terms of their helpfulness to ISSOs. Therefore, this paper is valuable as basis on which businesses could develop an in-house ISSO course. Finally, this paper serves as a valuable reference document for the ISSO community at large when they need to provide advice to their Chief Information Officer (CIO).

ii

Dedicated to Nancy, Rachel, and Sarah for their love, support, and understanding, especially during these past two years.

iii

CONTENTS Abstract ........................................................................................................................................... ii List of Tables ................................................................................................................................. vi Table of Figures ............................................................................................................................ vii PART I .............................................................................................................................................1 Chapter 1 - Introduction.......................................................................................................1 Scope of This Paper .................................................................................................4 Chapter 2 - Elements of an INFOSEC Program ..................................................................6 Chapter 3 - Role and Responsibilities of ISSOs ..................................................................8 Chapter 4 - Review of the Literature .................................................................................10 Information Security Harmonisation .....................................................................10 A Comparative Study of IT Security Criteria ........................................................13 International Codes of Practice for Information Security Management................14 Conclusion .............................................................................................................15 PART II..........................................................................................................................................17 Chapter 5 - Government Acts ............................................................................................17 Personal Information Protection and Electronic Documents Act (PIPEDA) ........17 Health Insurance Portability and Accountability Act (HIPAA) ............................19 Sarbanes-Oxley Act (SOX)....................................................................................22 Gramm-Leach-Bliley Act (GLBA)........................................................................23 Summary of Government Acts ..............................................................................25 Rating of Government Acts ...................................................................................27 Chapter 6 - INFOSEC Standards .......................................................................................28 Generally Accepted Principles and Practices for Securing Information Technology Systems ........................................................................................29

iv

OECD Guidelines for the Security of Information Systems and Networks ..........31 Generally Accepted Information Security Principles (GAISP) .............................31 German IT Security Guidelines .............................................................................33 COBIT ................................................................................................................35 ISO/IEC 17799 Code of Practice for Information Security Management.............37 BS 7799-2 Specification for Information Security Management Systems............42 Summary of INFOSEC Standards .........................................................................43 Rating of INFOSEC Standards ..............................................................................46 Chapter 7 - INFOSEC Guidelines and Best Practices .......................................................48 AICPA/CICA Privacy Framework ........................................................................48 ISO/IEC TR13335 Guidelines for the Management of IT Security (GMITS) ......50 An Introduction to Computer Security: The NIST Handbook...............................57 RFC 2196 Site Security Handbook........................................................................59 The Standard of Good Practice for Information Security......................................61 The CERT Guide to System and Network Security Practices............................65 Summary of INFOSEC Guidelines and Best Practices .........................................67 Rating of Guidelines and Best Practices................................................................70 PART III ........................................................................................................................................72 Chapter 8 - Conclusions.....................................................................................................72 Overall Rating of Acts, Standards, and Guidelines ...............................................73 Chapter 9 - Recommendations for Further Study ..............................................................75 References......................................................................................................................................76 APPENDIX A GLOSSARY OF TERMS ....................................................................................80 APPENDIX B RECOMMENDED INFOSEC RESOURCES FOR FURTHER READING ......82

v

List of Tables TABLE 1. RATING SCALE FOR ACTS, STANDARDS, AND GUIDELINES INDICATING THEIR HELPFULNESS TO ISSOS. ........................................................................................4 TABLE 2. SUMMARY OF ACTS AND THEIR HELPFULNESS TO ISSOS..........................27 TABLE 3. SUMMARY OF INFOSEC STANDARDS AND THEIR HELPFULNESS TO ISSOS.......................................................................................................................................47 TABLE 4. SUMMARY OF INFOSEC GUIDELINES AND THEIR HELPFULNESS TO ISSOS.......................................................................................................................................71 TABLE 5. QUICK REFERENCE TO THE INFOSEC ACTS, STANDARDS, AND GUIDELINES AND THEIR HELPFULNESS TO ISSOS.....................................................74

vi

Table of Figures Figure 1. Example of how COBIT presents its control objectives. .......................................... 37 Figure 2. Example of how ISO 17799 organizes and presents safeguards.................................. 40 Figure 3. Typical threats to confidentiality, integrity, and availability. ...................................... 55 Figure 4. Example of how ISFs Standard organizes and presents its security practices............ 63

vii

PART I Chapter 1 - Introduction For the past thirty years, the information security (INFOSEC) profession has emerged on the international stage in a fragmented manner with little cohesive organization. The evidence for this generalization comes from the barrage of network intrusions and the escalating number of independent INFOSEC reports, acts, standards, and guidelines in both the public and private sector. According to Carnegie Mellon Universitys CERT Coordination Center, the quantity of INFOSEC incidents reported by businesses has doubled every year since 2000, and a survey of the literature indicates that the number of INFOSEC reports, standards, and guidelines mirrors this growth (Conner, 2003). The proliferation of security acts, standards, and guidelines exists because, in todays electronic commerce economy, the stakes of not securing the flow of information are particularly high.

Furthermore, no one agency has prescribed an all-encompassing security standard that satisfies both national and international business partners. The U.S. Government has established a significant legislative and regulatory regime around information technology (IT) security, yet it is considering additional action because many companies have not sufficiently addressed (or may not be aware of) the laws that govern how they must address their INFOSEC needs (Conner, 2003). In addition, there is already broad consensus on common solutions to IT security.

Despite this, the avalanche of literature that prescribes security measures and practices to protect a businesss critical information assets continues to grow into a complex web of requirements. Complicating this issue is the fact that there is no clear linkage among the 1

INFOSEC standards, so businesses may find themselves working with a dozen standards in parallel as they cross international boundaries; and someone has to make sense of it all.

Making sense of it all is a task that typically rests with the Chief Information Officer (CIO) who implements and manages the companys INFOSEC program. However, the CIO relies heavily on a team of subject matter experts to conduct the day-to-day security operations. On this team, the Information System Security Officer (ISSO) is one of the CIOs key subject matter experts.

As such, ISSOs must possess a strong technical background combined with a good working knowledge of the acts that mandate security measures for their business, and the myriad of standards and guidelines that are available to help achieve compliance with the applicable laws. In essence, ISSOs need to raise their awareness of key acts and their working knowledge of other, more detailed, security-related documents, to effectively perform their day-to-day duties and maintain their subject matter expertise.

Therefore, this paper discusses the commonly recognized and accepted national and international INFOSEC acts, standards, and guidelines that ISSOs need to have knowledge of in order to advise their CIO. Security acts, standards, and guidelines obviously co-exist with other security requirements within an overarching INFOSEC program. Accordingly, Chapter 2 defines what an INFOSEC program is and then provides a broad overview on what constitutes the key elements of an INFOSEC program. Then, Chapter 3 describes the key responsibilities typically expected of ISSOs and the role they play within the overarching INFOSEC program.

2

Chapter 4 follows with a brief review of the literature, which represents what other authors have written about the well-known security standards and guidelines. Chapters 1 to 4 forms Part I of this paper and serves as background information. It is not necessary for the reader to have an intricate knowledge of Part I to understand and use the information in Part II of this paper. Nevertheless, Part I is presented for the benefit of the less-experienced INFOSEC professional.

Part II of this paper represents the main body of information and provides an independent discussion of each of the INFOSEC acts (Chapter 5), standards (Chapter 6), and guidelines (Chapter 7). These chapters give a broad picture of each of these security documents in terms of: 1. 2. 3. 4. 5. Who issued it, and who is the target audience? What type of document is it, and what are its security objectives? Where does it apply (i.e., to which type of business)? When was it published (i.e., how current is it)? Why is it important?

At the conclusion of each chapter, the acts, standards, and guidelines are summarized and assigned a rating that indicates how helpful they may be to ISSOs. Table 1 shows the rating scale this paper will use and is based on the authors personal experience as an ISSO.

3

Table 1. Rating scale for acts, standards, and guidelines indicating their helpfulness to ISSOs. Scale Not helpful at all. Little or no direct relevance, but may be helpful as awareness. Unlikely to provide real benefit, but is helpful if it used with complementary documents. Provides helpful guidance with a good level of detail, but it may not be directly relevant to the ISSOs day-to-day duties. Provides very helpful and relevant information, but the level of detail may sometimes be inadequate. Provides exceptionally helpful information, which is highly relevant and sufficiently detailed. Chapter 8 summarizes the major points of this paper. Finally, Chapter 9 provides some recommendations for further study. In addition, this paper provides an appendix of additional security resources (Appendix B) that are of value to ISSOs, but do not directly relate to the main purpose of this paper. Appendix B does not provide a detailed discussion of the additional references; rather it simply provides a categorized list of other security resources and information about where they could be obtained. Meaning

Scope of This Paper This paper does not attempt to deal with all the literary resources that ISSOs should be concerned about within the entire spectrum of an INFOSEC program. A more achievable objective is to present the most relevant and well-established information that ISSOs rely upon to conduct their day-to-day duties and protect their companys critical information assets. Certainly, to perform the full range of their duties and to maintain their subject matter expertise,

4

ISSOs need access to other resources and require knowledge and skills that are well beyond what this paper presents. Therefore, mention of many of these other resources is included in Appendix B so as not to detract from the main purpose of this paper. For example, in order to select and apply appropriate safeguards, ISSOs must first conduct a vulnerability assessment (VA) and a threat and risk assessment (TRA). Appendix B includes a number of key references that describe how to do these assessments. In addition, ISSOs may be involved in conducting security education and awareness training. References are included in Appendix B that may help with this task as well. Also included in Appendix B are a number of references that may be of professional development value to ISSOs. For companies looking to develop their own in-house ISSO training course, these additional references should also form part of the curriculum.

5

Chapter 2 - Elements of an INFOSEC Program The INFOSEC program is the overarching structure that brings organization and governance to all components of INFOSEC. This program allows individual security elements, which are modular in nature, to work in harmony within the enterprise to support its business goals. Many businesses might consider the INFOSEC program as a back-office technical specialty; nevertheless, it is a required business function that is still evolving (Pironti, 2005). However, the evolution of an INFOSEC program has not gained wide consensus or recognition.

Therefore, the Human Firewall Council solicited recommendations from security experts and industry groups to define a practical cross-industry, global definition of what an INFOSEC program should consist of. In their 2003 Security Management Index Report, the Human Firewall Council categorized an INFOSEC program into ten key components. These ten components, which correlate directly with the ISO/IEC 17799 international standard, include: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Security policy. Organization of assets and resources. Asset classification and control. Personnel security. Physical and environmental security. Communications and operations management. Access control. Systems development and maintenance. Business continuity management. Compliance (Rasmussen, 2003).

6

Due to the Human Firewall Councils definition, the term INFOSEC program now has some meaning and is starting to gain acceptance within the business community. However, it is prudent to keep in mind that an INFOSEC program may not always fit neatly into the ten categories described by the Human Firewall Council. This structure may work well for large corporations, but small and medium-sized organizations will likely have to combine functionality across these categories to produce an integrated and holistic INFOSEC program (Rasmussen, 2003). By aligning their INFOSEC program to the leading industry practices, businesses will have a much greater chance of success in achieving compliance with current INFOSEC acts and standards, and will be well suited to comply with future regulations (Pironti, 2005).

Achieving such alignment requires leadership, management, and teamwork. The CIO is without question a key player in integrating all the elements of an INFOSEC program into the businesss operational mindset. However, the CIO depends on other management staff to fulfill critical security functions; the ISSO is one of those vital members of the security team and the primary audience for this paper.

7

Chapter 3 - Role and Responsibilities of ISSOs In Federal organizations, ISSOs are the organizations officials who are responsible for maintaining the appropriate day-to-day operational security posture for the specified information system or program (Swanson, 2006). ISSOs have many responsibilities; however, a key duty is assisting senior INFOSEC officials (such as the CIO) with the identification, implementation, and assessment of security controls. Another key duty includes developing and updating information system security plans and advising the information system owner about changes to the system and the security impact of those changes (Swanson, 2006).

However, this description does not adequately convey the true breadth of the role and responsibilities of an ISSO in most businesses, and there is wide disparity about the ISSOs reporting channels and duties depending on his or her place of employment. For example, in medium to large companies, the ISSO position is a full-time job; while in smaller businesses it remains mostly a part-time job, (i.e., it is a secondary responsibility for one of the businesss fulltime employees). Nevertheless, ISSOs hold an extremely important position as leaders and inhouse consultants on information-protection matters and are still generally part of the IT departments function (Kovacich, 2003).

Ideally, an ISSO should report directly to the CIO, but this is seldom the case in large organizations. More frequently, an ISSO will report to an intermediate officer, commonly referred to as the Information System Security Manager (ISSM). The ISSM focuses more on security program requirements and higher-level management functions required to implement the security program. The ISSO in turn, acts for the ISSM by carrying out the day-to-day security

8

procedures (Gallagher, 1992). To fulfill this responsibility, ISSOs require a solid technical background that includes thorough knowledge of the threats to and vulnerabilities of information systems, as well as broad knowledge of INFOSEC acts, standards, and guidelines that the INFOSEC industry commonly uses to mitigate such threats and vulnerabilities. This latter knowledge is essential for ISSOs to enforce security policies and safeguards and to ensure compliance with mandated security rules and standards (Gallagher, 1992).

Educating ISSOs on the deluge of INFOSEC acts, standards, and guidelines can be an overwhelming task for many businesses. In addition, determining which of the acts, standards, and guidelines are most pertinent can be an even more daunting task. Therefore, this paper aims specifically at meeting these goals, (i.e., educating and guiding ISSOs to help them discover the most prevalent acts, standards, and guidelines and deciding which ones are most relevant to the business they are protecting).

9

Chapter 4 - Review of the Literature One of the goals of this paper is to demonstrate to ISSOs that there is a considerable amount of information already available to them to help protect their companys critical information assets. This information comes in a variety of forms, such as acts, standards, and guidelines. Therefore, there is little need for a company to develop its own INFOSEC standards; most companies simply need to adapt and apply what other security experts are currently doing. Other authors have written various articles, documents, and reports analyzing and evaluating the security acts, standards, and guidelines that the worldwide community commonly accepts as proven and effective. Hence, it would be prudent to review such literature and identify any patterns that would indicate which of the well-known security acts, standards, and guidelines have significant value for ISSOs. The literature on INFOSEC is plentiful, but most of the articles limit their review to a single regulation, standard, guideline, or best practice document. There is some literature linking one particular standard to another, but there are only a few significant pieces of literature that attempt to compare multiple standards and guidelines.

Information Security Harmonisation First, the technical study entitled Information Security Harmonisation (Macartney, 2005) represents a significant contribution to the literature because it attempts to define a framework to compare the broad base of INFOSEC standards and guidelines documents. Macartney (2005) argued that numerous security standards, guidelines, and codes of practice exist without any linkage to each other - in other words, without a framework on which to express or develop their objectives. Rather, most security documents focus on one or more security issue of importance, but not necessarily in context with other published works. Therefore, under direction from the

10

Information Technology Governance Institute, Macartneys technical study of the INFOSEC-focused literature provides a comprehensive road map to seventeen INFOSEC documents that are commonly recognized and accepted worldwide. Macartney classified and evaluated each security document in the same manner and by using the same criteria. The evaluative framework included: 1. 2. 3. What organization issued the document? What type of document is it (for example, an international or national standard, guideline, or best practice)? What principal area of security does it fulfill (for example, security management, security principles, high-level safeguards, detailed safeguard practices, or security methodology)? What is the circulation of the document (for example, worldwide or regional)? What is the stated purpose of the document? What are the drivers for implementing the guidance? What are the identified risks of not implementing the guidance? Who is the stated target audience of the document? How current is it and how often is it revised? What certification opportunities exist for adherence to or knowledge of the guidance, at either the organization or individual level? How complete is the guidance in terms of implementing and managing an enterprise INFOSEC management program? Where can the guidance be obtained? How recognized is the guidance and how acceptable is it to the INFOSEC industry? How widely is the guidance used by security practitioners?

4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

11

15.

What level of coverage does the guidance provide when compared against the task/knowledge statements in the Certified Information Security Manager (CISM) job domains? How thorough is the content of the guidance?

16.

To determine the recognition, acceptance, and usage of each security document, Macartney surveyed 1,900 INFOSEC professionals holding a current CISM qualification and incorporated their responses into the study. This evaluative framework enables INFOSEC professionals to identify which of the security documents would be of best use within their own organization or most appropriate for improving their own skills and knowledge.

Macartneys study provides a valuable contribution to the INFOSEC industry, and most ISSOs would find her study useful, but it does presume a good level of familiarity and experience with security standards and guidance documents. In addition, Macartney specifically compared the seventeen reviewed security documents to the five CISM domains: 1. 2. 3. 4. 5. Information security governance. Risk management. Information security program management. Information security management. Response management.

These five domains do not easily correspond to the ten elements of an INFOSEC program espoused by the Human Firewall Council and the ISO/IEC 17799 standard discussed earlier in this paper. However, Macartneys findings did indicate that the ISO/IEC 17799 document has made a significant impact on the INFOSEC community. Her study noted that over 97 percent of

12

the surveyed CISMs recognized the ISO/IEC 17799 document and more than 85 percent of them accepted it as a conventional security standard (Macartney, 2005). Despite this, Macartney concluded that the ISO/IEC 17799 standard is unlikely to provide real benefit in addressing the five CISM domains and is only useful as a complement to other resources. This does not imply that the ISO/IEC 17799 standard is not valuable as a basis for an INFOSEC program, simply that it holds little value for those INFOSEC professionals preparing to seek the CISM qualification. It is interesting to note that Macartneys study suggested that only three of the seventeen INFOSEC documents adequately map to the CISM domains. Based on this study, ISSOs who are preparing for the CISM qualification may need to reconsider what references they are using.

A Comparative Study of IT Security Criteria However, in a similar comparative study, Project Team 5 of Initiative D21 reviewed nine of the commonly recognized security standards and was not so harsh on the ISO/IEC 17799 standard. This study noted that the ISO/IEC 17799 standard does provide a comprehensive collection of safeguards, which satisfy a best practice approach to INFOSEC and the standard does provide a common reference point for assessing an INFOSEC management program (German Chamber of Commerce, 2001). Initiative D21 also noted that the ISO/IEC 17799 standard is heavily oriented towards generic, baseline security measures making it a flexible standard that is not restricted to a specific security level and is largely independent of the organizational structure. For example, the standard permits organizations to decline some security measures, with justification, making it quite suitable for smaller organizations. On the other hand, organizations that require high security safeguards could also modify the standard to suit their needs (German Chamber of Commerce, 2001).

13

Unlike Macartney (2005), Initiative D21 did not attempt to map the reviewed security literature to a specific certification framework, such as CISM. However, Initiative D21 did agree with one of Macartneys conclusions the ISO/IEC 17799 standard is more useful if it complements another security resource. The reason for this conclusion is that the ISO/IEC 17799 standard does not provide the specific technical instructions to implement the recommended security measures. Rather, it is a generic catalogue of best practices that prescribes what to do, but not how to do it. However, it is important to note that both Macartney (2005) and Project Team 5 of Initiative D21 (German Chamber of Commerce, 2001) reviewed the first version of the ISO/IEC 17799 standard that was published in 2000. Rasmussen (2005) agrees that the original version had some weak areas, but he claims that the second version, published in 2005, fixes those weak areas. The 2005 version of the ISO/IEC 17799 standard provides a much stronger and expanded framework for INFOSEC management, but still does not provide the depth needed for a robust INFOSEC program (Rasmussen, 2005).

International Codes of Practice for Information Security Management The third significant study came out of the School of Computing at the University of South Africa. Smiths (2005) paper provided a broad overview of seven of the well-known security standards and argued that organizations need to adopt and comply with internationally recognized standards, or to cross-reference any in-house developed standards to an existing international standard. Smith argued that the lack of sufficient security safeguards might threaten the organizations own electronic business and the security of their business partners. It is therefore necessary for an organization to certify their compliance to some international security standard (Smith, 2005). Smith also noted that the ISO/IEC 17799 standard is the only

14

international standard that an organization can use to provide the necessary proof to their trading partners. Smiths technical report does not draw any conclusion as to which standard is better than another or more appropriate for small or large organizations. However, this study does list some of the benefits of adopting a specific standard and allows the reader to draw their own conclusions. For example, this study suggested that organizations adopting the Generally Accepted System Security Principles (GASSP) would: 1. 2. 3. 4. 5. 6. 7. Promote good security practice. Have a legal and authoritative point of reference for security practices. Increase their business effectiveness and efficiency by preserving public trust in their IT capability. Minimize barriers to the free flow of information. Be assured of a globally known skill set. Increase management confidence in the decisions that INFOSEC practitioners make. Enjoy increased customer confidence, trust, and acceptance in their products (Smith, 2005). Conclusion As demonstrated by the review of the literature, there is some disagreement within the INFOSEC community regarding the merit of some standards; the profession still lacks a unified body of guidance; and ISSOs do not have a single comprehensive reference point for acts, standards, guidelines, best practices, certifications, success metrics, and even terminology. This paper does not serve as united guidance for the INFOSEC community. However, Part II of this paper does attempt to provide ISSOs with an all-inclusive reference point to the commonly accepted national and international INFOSEC-related documents. Next, this paper will discuss

15

these documents under the broad headings of government acts, INFOSEC standards, and INFOSEC guidelines and best practices.

16

PART II Chapter 5 - Government Acts Acts are orders issued by a government department or agency that have the force of law. Acts usually focus on a specific industry or issue of critical importance. From an INFOSEC perspective, acts mandate the security measures that businesses must embrace to protect the information assets that they are responsible for. These security measures tell businesses what to do in very high-level statements, leaving the detailed implementation, (i.e., how to implement safeguards that will satisfy the security requirements of the act) to the discretion of the business. The important point about acts is that businesses must satisfy all the prescribed security measures, how they do that is up to them. This is an important distinction for ISSOs since CIOs will call upon them to implement appropriate safeguards for each of the prescribed security measures that the act mandates. Therefore, ISSOs should be familiar with the impact that acts have on their particular business.

There are many acts that have some impact on the INFOSEC community but it is not the intent of this paper to review them all. Rather this paper focuses on a relatively few acts that appear to receive the greatest share of attention and are generally recognized as important landmarks.

Personal Information Protection and Electronic Documents Act (PIPEDA) In Canada, two federal privacy laws protect individuals. One law that prescribes how the federal government must handle personal information the Privacy Act; and one law that imposes how Canada's private sector must handle personal information - the Personal 17

Information Protection and Electronic Documents Act (PIPEDA). The PIPEDA was assented to on April 13, 2000, by the Senate and House of Commons of Canada, but it is really the result of a collaborative effort by representatives of government, consumers, and business groups (Canada, Office of the Privacy Commissioner, 2000). However, it did not come fully into effect until January 1, 2004.

The PIPEDA applies across the board to all non-government organizations that collect, use, or disclose personal information during the conduct of commercial activities. It imposes ten principles of fair information practices that all private sector businesses must adhere to such as, accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and provide recourse (Canada, Office of the Privacy Commissioner, 2000).

The CIO addresses these privacy issues within the overarching information management program. However, it is common for ISSOs to be involved in some aspects of privacy compliance. For example, the principle of accountability imposes that an organization must appoint an individual to protect all personal information held by the organization or transferred to a third party for processing. Undoubtedly, ISSOs will be heavily involved in implementing the technologies to protect such information and therefore should develop a good working rapport with the appointed individual. In smaller organizations, this individual may in fact be the ISSO. In addition, the principle of safeguards requires organizations to protect personal information against loss or theft; and safeguard the information from unauthorized access, disclosure, copying, use, or modification. Again, ISSOs will be heavily involved in the selection

18

and application of appropriate safeguards. Specifically for the selection of physical security measures (locked filing cabinets, restricting access to offices, alarm systems), technological tools (passwords, encryption, firewalls), organizational controls (security clearances, limiting access on a "need-to-know" basis, staff training, agreements), and education and awareness training to make all employees aware of the importance of maintaining the security and confidentiality of personal information. The CIO may also call upon ISSOs for their input into a security policy to protect personal information.

The PIPEDA is a document that ISSOs should skim simply because they need to understand the importance of this legislation. The document itself does not tell ISSOs how to protect personal information collected, used, or disclosed by their company, but it does provide the legal and authoritative point of reference with which to impose certain safeguards. Later, this paper will discuss a supporting document that introduces a privacy framework that organizations can use to guide and assist them in implementing their privacy program (American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2004).

Health Insurance Portability and Accountability Act (HIPAA) In 1996, the U.S. Congress enacted the Administrative Simplification (part of Title II) provisions of the Health Insurance Portability and Accountability Act (HIPAA) to promote standardized electronic transactions in the health care industry and protect the privacy and security of health information (Hash, 2005). It was not until February 20, 2003, that the U.S. Department of Health and Human Services adopted sections 160, 162, and 164 of the HIPAA as their security standards final rule. These sections are assented to in Part 45 of the Code of

19

Federal Regulations (CFR) and require organizations to take measures to secure electronic protected health information (EPHI) while it is in their custody (U.S. Department of Health & Human Services, 2003). The HIPAA security rule specifically focuses on safeguarding EPHI and all covered entities must comply with the rule. Examples of covered entities include health care providers, health plans, health care clearinghouses, and Medicare prescription drug card sponsors (Hash, 2005).

More specifically, the HIPAA security rule objectives are to ensure confidentiality, integrity, and availability of EPHI that organizations create, receive, maintain, or transmit. As well, organizations must protect EPHI against any reasonably anticipated threats and hazards, and against reasonably anticipated uses or disclosures that are not permitted by the Privacy Rule (Hash, 2005).

The HIPAA security rule is separated into six main sections and each section includes several standards. Furthermore, each standard is subdivided into implementation specifications, each of which is categorized as required or addressable. In all, there are 18 standards and 36 implementation specifications (14 required and 22 addressable). The 18 standards are mandatory and all organizations must comply with them. However, compliance with the 36 implementation specifications depends on whether they are categorized as required or addressable. A required specification is considered a standard and organizations must comply with it. However, an addressable specification is simply a reasonable and appropriate safeguard that organizations must consider, although they are not obliged to implement. Nevertheless, organizations cannot simply dismiss addressable specifications. Organizations must perform a

20

risk assessment to determine if the safeguard is appropriate for their environment or if they should implement an equivalent alternative (Hash, 2005).

The Federal Register Subpart C provides the approved requirements under sections 160, 162, and 164 of the HIPAA. However, the Federal Register also includes much more information such as the background, general provisions, and analysis of and responses to public comments on the security rule. This is a wealth of information to understanding the HIPAA from an INFOSEC perspective, but is not required for ISSOs to implement the rule. One other issue worth noting is that the Federal Register mentions numerous National Institute of Standards and Technology (NIST) publications, including Nashs (2005) guide, as potentially helpful guidance, but not mandatory for achieving compliance with the HIPAA (U.S. Department of Health & Human Services, 2003).

Nash has cross-referenced every standard to the citation where the standard is located within the HIPAA security rule. For each standard, Nash has further defined key activities, which are actions that organizations should pursue to comply with the associated rule - some of key activities are the actual implementation specifications. Nash also provides an expanded explanation about the key activities to help get organizations started in addressing the HIPAA security rule. An additional feature of Nashs guide is the sample questions. These questions are indicative of relevant questions that organizations could ask as a starting point to examine its own security practices that relate to the HIPAA security rule. Finally, Nash includes illustrated examples of two hypothetical federal agencies to show how the standard may be addressed in a

21

specific environment. These examples suggest actions and issues that could arise. For ISSOs who work for a covered entity, Nashs guide is indispensable.

Sarbanes-Oxley Act (SOX) In 2002, the U.S. Congress enacted the Sarbanes-Oxley Act of 2002 (SOX), which defines the requirement for financial and accounting disclosure of information. It is an act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. The act is named after its main architects, Senator Paul Sarbanes and Representative Michael Oxley (U.S. Congress, 2002).

The SOX Act is organized into eleven titles, although section 404, entitled Management Assessment of Internal Controls is the most significant with respect to compliance and internal control. Section 404 goes beyond the requirement to merely establish and maintain adequate internal controls; it requires that senior management assess the effectiveness of their internal controls on an annual basis (IT Governance Institute, 2004).

There is not much literature detailing the INFOSEC implications of the SOX Act. Furthermore, the literature that does exist generally addresses executive management and senior IT control professionals concerns. To further obscure the INFOSEC implications, the U.S. Public Company Accounting Oversight Board (PCAOB), which was created by the SOX Act, indicates that internal control is not one-size-fits-all and the nature and extent of controls greatly depend on the size and complexity of the organization. Therefore, each organization must carefully consider the appropriate IT controls for its own circumstances.

22

To accomplish this, CIOs must now enhance their knowledge of internal controls, understand their organizations overall SOX Act compliance plan, and develop specific IT security compliance plans. Accordingly, CIOs must first assess the current state of their organizations IT control environment, and then design the controls necessary to meet the directives of the SOX Act section 404 (IT Governance Institute, 2004). It should be obvious to most ISSOs that they will be indirectly involved in this process; therefore, they should be aware of the SOX Act section 404 requirements in order to provide appropriate advice to their CIO. There are a number of valuable resources to help ISSOs address the INFOSEC requirements of the SOX Act, namely the guide issued by the IT Governance Institute (2004), and other standards that will be discussed later in this paper, such as COBIT and ISO/IEC 17799.

Gramm-Leach-Bliley Act (GLBA). In 1999, the U.S. Congress enacted the Gramm-Leach-Bliley Act (GLBA) to reform and modernize the banking industry. Subtitle A of Title 5 of the GLBA labelled Disclosure on Nonpublic Personal Information requires the Federal Trade Commission (FTC) to establish INFOSEC safeguards, for financial institutions, for certain personal information (U.S. Congress, 1999). The FTC issued its final safeguards rule on May 23, 2002. The FTC's safeguards rule regulates only financial institutions (i.e., businesses that engage in banking, insuring stocks and bonds, financial advice, and investing) (Federal Trade Commission, 2002).

The objectives of the GLBA safeguards rule are threefold. First, the GLBA aims to ensure the confidentiality of customers information. Second, it aims to protect the integrity of such information against any anticipated threats or hazards. Finally, the GLBA aims to protect

23

the information against unauthorized access or use which could result in substantial harm or inconvenience to any customer (Federal Trade Commission, 2002).

Under the GLBA, financial institutions must implement and maintain an INFOSEC program (including administrative, technical, and physical safeguards) and must demonstrate compliance with their program. The standard set for establishing a compliance program comes from Compliance Programs and the Corporate Sentencing Guidelines; Preventing Criminal and Civil Liability, which says for an organization to have an effective compliance program, the following seven elements are required: existence of written standards; effective oversight; due care in delegation of authority; training; monitoring; discipline; and corrective Action (Kaplan, 2000).

The GLBA safeguards rule itself is a very high-level set of general elements that a financial institution must include in its information security program. The five basic elements of the GLBA are: 1. 2. Assign security responsibility. Perform a risk assessment on information systems operations including the areas of security awareness, security technologies and procedures, incident response, and contingency planning. Design and implement information safeguards to control risks. Oversee the INFOSEC capabilities of service providers. Evaluate and adjust the INFOSEC program on an ongoing basis.

3. 4. 5.

24

These five elements represent nothing more than information security best practices, but those financial organizations that fall under the scope of the GLBA must implement them nonetheless. The positive thing about the safeguards rule is that it provides a framework that organizations should use to develop, implement, and maintain the required safeguards, but leaves organizations to use their own discretion to tailor their INFOSEC program to their own circumstances.

Executive management and CIOs of financial institutions should read the GLBA and understand its requirements since they are the officers primarily responsible for establishing and implementing the companys INFOSEC program. This act gives them the authority, in fact the mandate, on which to base their program. Certainly the GLBA is not required reading for most ISSOs since they should already be aware of the five basic elements that the GLBA imposes.

Summary of Government Acts In Canada, the PIPEDA applies to all private sector organizations that collect, use, or disclose personal information. The key requirement of this act is the principle of safeguards, which requires organizations to protect personal information against loss or theft; and safeguard the information from unauthorized access, use, disclosure, copying, or modification. The PIPEDA does not prescribe how to protect personal information, but it does provide the legal and authoritative point of reference with which to impose certain safeguards. Therefore, ISSOs who are involved in the selection and application of appropriate safeguards should be loosely familiar with the requirements of this act.

25

In the U.S., the three most relevant acts to INFOSEC professionals are the HIPPA, SOX Act, and GLBA. First, the HIPAA mandates the protection of electronic health information and therefore applies to businesses in the health care industry such as health care providers, health plans, health care clearinghouses, and Medicare prescription drug sponsors. The HIPAA imposes substantial INFOSEC safeguards on these businesses but, as typical of most acts, does not describe how to implement the necessary safeguards. ISSOs in the health care industry would be well advised to thoroughly understand the requirements of this act. Therefore, Hashs (2005) publication is highly recommended reading.

Second, the U.S. Congress enacted the SOX Act specifically to protect investors by mandating that certain businesses disclose financial and accounting information. For the INFOSEC community, section 404 of this act is required reading. This section requires senior management to assess the effectiveness of their businesss IT control environment on an annual basis. Therefore, ISSOs should be aware of section 404 requirements, but familiarization with other sections of the SOX Act is not required.

Finally, the GLBA establishes the safeguards that financial institutions (such as banks, stocks and bonds dealers, and financial advice firms) must implement to protect their customers records and information. Other than directing financial institutions to implement an INFOSEC program and demonstrate compliance with their program, this act does not introduce anything new from an INFOSEC perspective. The GLBA simply provides a basic framework that organizations should use to develop their INFOSEC program, but leaves them to use their own discretion to tailor the program to their own circumstances. Since most ISSOs should already be

26

familiar with the basic framework that the GLBA suggests, there is no need for them to read this act.

Rating of Government Acts The four acts reviewed in this paper represent only those that appear to receive the greatest share of attention and are generally recognized as important landmarks within the INFOSEC community. Table 2 presents a summary of their value to ISSOs. Certainly, there are more acts that have some INFOSEC elements, but the limitations of this paper preclude a review of them all. Table 2. Summary of acts and their helpfulness to ISSOs. Title Personal Information Protection and Electronic Documents Act (PIPEDA) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act (SOX Act) Helpfulness

27

Chapter 6 - INFOSEC Standards Information security is no longer solely an in-house issue. An organizations IT assets are often widely distributed and linked via the Internet or other communication means such as dedicated backbones. In addition, many organizations link with multiple partner businesses both nationally and internationally. This growing interconnectivity is a cause of great concern for company directors. INFOSEC standards can alleviate much of this concern. From an INFOSEC perspective, standards are a level of quality that businesses accept as the norm. Standards provide organizations with some assurance that they have implemented an effective INFOSEC program and that they can be trusted to adequately protect the information they share with their business partners.

The important point about standards is that they are not obligatory (like acts are). Rather, standards achieve their end-state by the fact that they represent the consensus of multiple organizations. ISSOs should understand this distinction in order not to mislead their CIO. There is no legal requirement to comply with a standard; however, doing so may be a method of meeting legal requirements imposed by acts and is definitely a good business practice.

A variety of INFOSEC standards exist ranging from detailed security measures to high-level frameworks. Frameworks simply present ideas, principles, agreements, or rules that provide an outline that business can use to fully develop a more detailed program. The following INFOSEC standards and frameworks represent the most influential security standards within the INFOSEC community. Therefore, ISSOs should be acquainted with each of them to varying levels of understanding.

28

Generally Accepted Principles and Practices for Securing Information Technology Systems The Generally Accepted Principles and Practices for Securing Information Technology Systems is one of the earlier INFOSEC guides published by NIST. However, the principles and practices that this guide recommends are timeless and are as valid today as they were almost ten years ago when the authors wrote them. This guide contains two distinct sections; therefore, the target audience depends on which section is of interest.

Senior management and senior INFOSEC professionals should read the chapter that explains the eight pervasive principles because these principles deal more with creating program policy or reviewing existing policy. On the other hand, ISSOs (and INFOSEC auditors) should focus on the fourteen common practices because these practices provide a common baseline of security requirements (Swanson, 1996).

This guide is definitely a high-level document, which presents generic principles and practices, making it suitable for organizations of any size, in both private and public sectors. The objective of this guide is to provide organizations with a common understanding of what they need to do to secure their IT resources. Despite being ten years old, it remains an important document because it provides the groundwork for organizations to understand the basic security requirements that most IT systems should contain.

As the name of this guide implies, the eight principles that this guide prescribes are generally accepted worldwide (i.e., they are the principles that almost everyone applies when

29

developing or maintaining a system and therefore have become generally accepted). The eight principles are: 1. 2. 3. 4. 5. 6. 7. 8. Computer security supports the mission of the organization. Computer security is an integral element of sound management. Computer security should be cost effective. System owners have security responsibilities outside their own organizations. Computer security responsibilities and accountability should be made explicit. Computer security requires a comprehensive and integrated approach. Computer security should be periodically reassessed. Computer security is constrained by societal factors (Swanson, 1996).

These eight principles should not require any further explanation to most senior management officials, and it is really beyond the scope of this paper to do so.

The major focus of this guide (and of greatest interest to ISSOs) is the fourteen practices, which describe the types of controls, objectives, and procedures of an effective INFOSEC program. These practices show organizations what they should do to enhance or assess their current INFOSEC program. They are not comprehensive practices; rather they represent a baseline standard. Each practice is derived from one or more of the eight generally accepted principles. Therefore, most organizations should implement all of the practices and augment them with other practices depending on their needs (Swanson, 1996). A detailed listing of the specific practices is not practical within the scope of this paper. The important point is that the practices provide the foundation for a sound INFOSEC program and all ISSOs should thoroughly familiarize themselves with them. 30

OECD Guidelines for the Security of Information Systems and Networks On November 26, 1992, the Organisation for Economic Co-operation and Development (OECD) published its landmark Guidelines for the Security of Information Systems report. This report fell out of the need to address the potential threats to information systems that cross national boundaries. Therefore, a group of experts from 24 OECD member nations gathered to produce suitable recommendations (Organisation for Economic Co-operation & Development, 1992). Ten years later, the OECD recognized that the use of information systems and network has dramatically changed from what they wrote about in their 1992 guide.

Therefore, in 2002, the OECD republished their recommendations under a new report titled Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. The aim of this guide is to promote a culture of security; raise awareness of risks; and promote co-operation in the development of information security policies, practices, and procedures. The nine principles of the 2002 version include awareness; responsibility; response; ethics; democracy; risk assessment; security design and implementation; security management; and reassessment (Organisation for Economic Co-operation & Development, 2002).

The OECD guide provides an ideal forum for nations to agree on very broad principles of information systems security. However, this guide holds little practical value for ISSOs.

Generally Accepted Information Security Principles (GAISP) In August 2003, the International Information System Association (ISSA) published version 3.0 of the Generally Accepted Information Security Principles (GAISP) guide. The

31

GAISP is actually an ongoing project that started out in 1992 as the Generally Accepted Systems Security Principles (GASSP) - which was discussed in Smiths (2005) study in response to the Computers at Risk report (U. S. National Research Council, 1991). However, under the original direction of the International Information Security Foundation (IISF), the GASSP did not achieve the success that it hoped for and subsequently stalled. Therefore, the ISSA has now taken on the initiative to complete this project and they quickly renamed it, substituting the word information for the word systems to reflect that it is really the information that they want to secure, not the systems themselves (International Information Security Association, 2003).

The objectives of GAISP project are quite broad and quite audacious, namely to collect and encapsulate the existing body of knowledge, and come to an agreement on what principles best serve the INFOSEC profession. By doing so, the GAISP foresees that it could ward off the need for governments to assume control and issue regulations, thereby allowing the INFOSEC profession to grow internationally and remain a self-regulated profession (International Information Security Association, 2003). One of the first orders of business for the revitalized GAISP was to create and publish their own set out generally accepted principles and practices that would serve as an authoritative foundation of existing works. They envisioned creating these principles in a higher to lower hierarchical scheme starting at the top with pervasive principles that describe concepts and governance issues; followed by broad functional principles that describe what to do; and finally by detailed principles that describes how to implement the security practices. Version 3.0 of the GAISP provides two parts of this goal the pervasive and the broad functional principles.

32

The target audience for the pervasive principles is executive level management and senior IT professionals, such as the CIO. The pervasive principles address the three universal goals of information security, that being confidentiality, integrity, and availability of information. The nine pervasive principles are directly founded on the same nine principles endorsed and published by the OECD, so there is no benefit to listing them again here.

The bulk of the GAISP guide is devoted to explaining the 14 broad functional principles. These principles are derived from, and support, the nine pervasive principles. They are more detailed, but remain high-level what to do statements. Therefore, the target audience remains more senior IT professionals, such as the CIO.

Unfortunately for ISSOs, the detailed principles are not yet developed. According to the GAISP, these principles will define how to implement the nine pervasive principles and the 14 broad functional principles. Nevertheless, until the detailed principles are developed, the GAISP, in its current version, holds little value for most ISSOs.

German IT Security Guidelines The German Federal Office for Information Security (BSI) published the IT Security Guidelines in 2004 specifically for IT managers and administrators in small and medium size companies. BSI developed these guidelines in response to the growing statutory requirements making company directors liable for matters of IT security. Recent legislation in Germany, such as the German Stock Corporation Act, and the Limited Liability Act makes directors personally liable and places obligations on senior management to act. Moreover, the Commercial Code

33

places obligations on auditors to check whether businesses accurately present the risks to their IT systems (Federal Office for Information Security, 2004).

The objective of BSIs IT Security Guidelines is to present the most important IT security measures in the areas of organization, infrastructure, and technical security measures (Federal Office for Information Security, 2004). This concise 48-page guide introduces typical scenarios of what not to do, explains the most common failures to act, and describes 50 essential security measures. The 50 essential security measures include high-level statements and the detailed explanations of how to implement the prescribed measure. ISSOs will not find this level of detail in many of the other security standards documents.

The IT Security Guidelines is really the prelude to a much more comprehensive manual that BSI also publishes. Their IT Baseline Protection Manual claims to be the basis for establishing a professional INFOSEC program. It contains field-proven security measures that even organizations implementing the latest technologies can readily implement. In Germany, the Federal Commissioner for Data Protection recognizes the IT Baseline Protection Manual as the virtual standard for their country (Federal Office for Information Security, 2004).

The manual itself is quite expansive weighing in at 2,377 pages separated into three distinct sections: the basic modules, the threats catalogue, and the safeguards catalogue. The basic modules describe the threat scenarios along with the appropriate safeguards for the various components, procedures, and IT systems. The threats catalogue further expands on the information presented in the basic modules by giving much more detailed descriptions of the

34

specific threats. The five basic categories of threats discussed are force majeure; organizational shortcomings; human failures; technical failures; and deliberate acts. Similarly, the safeguards catalogue expands on the information presented in the basic modules by giving detailed descriptions of the specific safeguards. The six categories of safeguards discussed are infrastructural safeguards; organizational safeguards; personnel safeguards; software and hardware safeguards; communications safeguards; and contingency planning safeguards.

Of the many INFOSEC documents reviewed in this paper, the IT Baseline Protection Manual is the clearly most comprehensive work on IT security. ISSOs in any size organization would benefit from this manual, but more importantly those ISSOs with less experience will find this manual highly informative and worthy of their investment. It can be downloaded free of charge from www.bsi.bund.de/gshb.

COBIT Under the overall guidance of the IT Governance Institute, research into international standards, guidelines and best practices led to the development of the Control Objectives for Information and related Technology (COBIT). In 2005, the IT Governance Institute released the fourth edition of COBIT which was developed by a panel of 40 experts from academia, government, and various INFOSEC professions, all strongly supported by the Gartner Group and PricewaterhouseCoopers (IT Governance Institute, 2005).

COBIT is essentially an IT management framework that describes what organizations need to achieve to exercise adequate management and control over their IT program. Therefore,

35

its target audience is senior level managers who hold security, privacy, and risk responsibilities not the typical ISSO. This framework prescribes 34 high-level control objectives each with their own management guidelines, maturity model, critical success factors, key goal indicators, and key performance indicators. COBIT defines a control objective as a statement of the desired result or purpose to be achieved by implementing control procedures (IT Governance Institute, 2005).

The COBIT framework organizes its 34 control objectives, and their supporting activities, into four key domains (i.e., a collection of procedures) as follows: plan and organize; acquire and implement; deliver and support; and monitor and evaluate. The COBIT framework, therefore, links IT processes to typical business phases. In other words, business requirements drive IT processes, which in turn manage IT activities and resources.

However, COBIT does not provide any detailed practices describing how to manage or implement lower-level aspects of IT. Consider the following example in Figure 1 that is presented in a similar format as in the COBIT manual.

36

Figure 1. Example of how COBIT presents its control objectives. Process DS5 - Deliver and support Control Objective - Ensure system security By focusing on defining IT security policies, procedures and standards, and monitoring, detecting, reporting, and resolving security vulnerabilities and incidents. Is achieved by - (a) understanding security requirements, vulnerabilities, and threats; (b) managing user identities and authorizations in a standard manner; and (c) testing security regularly. And is measured by - (a) number of incidents damaging reputation with the public; (b) number of systems where security requirements are not met; and (c) number of violations in segregation of duties.

COBIT does not specify how organizations are to manage user identities, what standard manner should be used, how to test security or how regularly. To achieve this level of detail, COBIT relies heavily on supporting resources such as the ISO/IEC 17799 standard and the Information Security Forums (ISF) Standard of Good Practice for Information Security. Both of these documents are discussed later in this paper.

Because COBIT lacks the level of detail needed for day-to-day security operations, it is of little value to ISSOs. At best, it may be a suitable compliment to other security documents, but on its own, it does not provide sufficient guidance for ISSOs.

ISO/IEC 17799 Code of Practice for Information Security Management In 2005, the International Organization for Standardization [jointly with the International Electromechanical Commission (ISO/IEC)] published the second edition of their international standard. The standards full title is ISO/IEC 17799 Information Technology Security

37

Techniques Code of Practice for Information Security Management but is popularly referred to simply as ISO 17799. This standard establishes the baseline requirements to form an INFOSEC program in any size or type of organization, both public and private sector (International Organization for Standardization, & the International Electromechanical Commission, 2005).

The ISO 17799 standard is an internationally recognized guide developed by ISOs Joint Technical Committee 1 - Information Technology, Subcommittee 27 IT Security Techniques with input from a consortium of companies to meet industry needs. According to ISOs directives, to be internationally recognized, a standard requires approval by at least 75 percent of the national voting bodies. Therefore, this standard represents the consensus of a considerable body of expertise.

The history of the ISO 17799 standard dates back to 1993 when the Department of Trade and Industry in the United Kingdom (U.K.) first published their code of practice. In 1995, the British Standards Institute adopted this code of practice and released it in two parts as BS 7799. In 2000, the ISO took charge of Part 1 of BS 7799 and renamed it to ISO 17799 (Part 2 is discussed in the next section of this paper). In 2005, the ISO/IEC revised and reissued the standard to reflect the ever-changing risks, controls, and best practices relevant to INFOSEC management. The ISO expects to revise this standard again in 2007 to bring it in line with their new family of standards in the 27000 series (it will likely be issued as ISO 27002) (International Organization for Standardization, & the International Electromechanical Commission, 2005).

38

The ISO 17799 standard is a generic advisory document that provides a set of controls considered to be a good starting point for implementing an INFOSEC program. The recommended controls are typically based on legislative requirements or common practice within the INFOSEC community. The standard itself contains 11 security control clauses. Ten of these security clauses were introduced in Chapter 2 Elements of an INFOSOEC Program, while the new edition of ISO/IEC 17799 adds the eleventh clause, information security incident management. The security clauses collectively prescribe a total of 39 main security categories. Furthermore, each security category provides its own statement of what is to be achieved (i.e., the control objective), and one or more safeguards that ISSOs can apply to achieve the control objective (i.e., implementation guidance). In total, the ISO 17799 standard lists 127 individual safeguards that ISSOs could apply. Figure 2 provides an example illustrating how the ISO 17799 hierarchy works:

39

Figure 2. Example of how ISO 17799 organizes and presents safeguards. Clause 11 - Access control Category 11.5 Operating system access control Subcategory 11.5.3 Password management system Control. Systems for managing passwords should be interactive and should ensure quality passwords. Implementation guidance (i.e., safeguards). A password management system should: (a) enforce the use of individual user IDs and passwords to maintain accountability; (b) allow users to select and change their own passwords and include confirmation procedures to allow for input errors; (c) enforce a choice of quality passwords; (d) enforce password changes; (e) force users to change temporary passwords at the first log-on; (f) maintain a record of previous user passwords and prevent re-use; (g) not display passwords on the screen when being entered; (h) store password files separately from application system data; and (i) store and transmit passwords in protected (e.g. encrypted or hashed) form. Other information. Passwords are one of the principal means of validating a users authority to access a computer service. As demonstrated by this example, the level of detail that the ISO 17799 standard provides is ideal for ISSOs and it would not be difficult for them to implement such control objectives. Furthermore, the ISO 17799 is a technology-neutral standard, so ISSOs have enough flexibility to apply any technology available to implement and achieve the desired control objectives. In fact, achieving all of the control objectives is not necessary to be compliant with the ISO 17799 standard. The ISO 17799 standard simply requires that organizations select the controls they require based on their own unique security requirements so long as the risks have been reduced to an acceptable level (International Organization for Standardization, & the International Electromechanical Commission, 2005).

40

While the ISO 17799 standard represents Part 1 of the original BS7799, it is difficult to separate it from Part 2 of BS 7799, which remains under the influence of the British Standards Institute. These two parts work in harmony. ISO 17799 provides a compliance framework for organizations to self-measure whether they have implemented the required standard. This in turn could lead to certification under BS 7799 Part 2, but this is optional.

Simply complying with ISO 17799 brings a number of benefits to organizations. For example, the HIPAA security rule emphasizes the same controls as the ISO 17799 standard but places emphasis on the protection of electronic health information. Therefore, complying with ISO 17799 is an ideal beginning to achieving compliance under the HIPAA. Furthermore, certification also has a number of benefits for organizations, such as formally demonstrating to their business partners that they are compliant with the standard, which in turn assures their commitment to INFOSEC. ISSOs should understand an important distinction here. Certification is optional so a company may still comply with ISO 17799 without being certified. Certification is only possible with BS 7799 Part 2.

The ISO/IEC 17799 standard represents a rigorously structured guide sponsored by the efforts of a considerable group of experts, and goes a long way to improving INFOSEC in any size or type of organization. Therefore, ISSOs should thoroughly study this standard and make a serious commitment to implementing it.

41

BS 7799-2 Specification for Information Security Management Systems As noted above, the British Standards Institute published the BS 7799-2 standard in 2002 (Note: at the time of writing this paper the ISO has take over the BS 7799-2 standard and renamed it ISO 27001, however this paper reviews the original BS 7799-2). The main purpose of the BS 7799-2 standard is to provide the conditions for INOFSEC management and the assessment guide for certification. According to the ISO Web site, over 1,800 organizations have already been certified against BS 7799-2.

It is important that ISSOs understand the relationship of the BS 7799-2 standard to the ISO 17799 standard. The control objectives and safeguards prescribed by the BS 7799-2 standard are directly derived from those listed in the ISO 17799 standard. Therefore, familiarity with the ISO 17799 standard is sufficient for most ISSOs.

However, what the BS 7799-2 standard adds, which ISSOs will not find in ISO 17799, is a process framework (similar to COBIT). The process framework addresses senior managements need to emphasize the importance of (a) understanding business information security requirements, (b) implementing and operating controls to manage risks, (c) monitoring and reviewing the performance and effectiveness of the INFOSEC management program, and (d) improving the INFOSEC program. The process framework is known as Plan-Do-Check-Act (PDCA) (BSI British Standards, 2001).

The plan phase ensures that the content and scope for the INFOSEC management program is correctly established, the security risks are assessed, and a plan is developed to

42

address identified risks. The do phase implements the decisions made in the plan phase. The check phase verifies that the safeguards implemented are functioning as intended. The act reviews the implemented security solutions with a view to improving them (BSI British Standards, 2001).

The PDCA framework also emphasizes synergy with other management systems such as ISO 9001 (Quality Management Standard) and ISO 14001 (Environmental Management System) thereby providing a consistent and integrated implementation and operation of management standards (BSI, British Standards, 2001). In addition, the PDCA model reflects the principles set by the OECD in their Guidelines for the Security of Information Systems and Networks (BSI, British Standards, 2001).

Finally, the PDCA model compares nicely with the steps in the GLBA and is an excellent guide with which to demonstrate compliance to the SOX Act. Therefore, the BS 7799-2 standard is an ideal guide to assess the organizations ability to meet customer, organization, and legal requirements. The value of BS 7799-2 standard to ISSOs is similar to that of COBIT, it may be a suitable compliment to other security documents, but on its own, it does not provide sufficient guidance for ISSOs.

Summary of INFOSEC Standards The growing interconnectivity among multiple businesses has become a cause of great concern for company directors, bit it can be alleviated by implementing INFOSEC standards. These standards provide the level of quality that businesses accept as the norm and demonstrate

43

their trustworthiness from an information protection perspective. Standards provide organizations with a set of INFOSEC rules that they are expected to follow, but not obliged to (unless they are seeking certification to a standard). Furthermore, they may be acceptable methods of achieving compliance with regulatory acts. This section has presented seven of the most commonly accepted INFOSEC standards, which are summarized below.

NISTs Generally Accepted Principles and Practices for Securing Information Technology Systems presents principles and practices that are timeless and are as valid today as they were almost ten years ago when the authors wrote them. Senior management and senior INFOSEC professionals should understand the eight pervasive principles because these principles deal more with creating program policy or reviewing existing policy. On the other hand, ISSOs should focus on the fourteen common practices because these practices provide a common baseline of security requirements.

The OCEDs Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security promotes a culture of security; raises awareness of risks; and promotes cooperation in the development of information security policies, practices, and procedures. Their nine principles provides an ideal forum for nations to agree on very broad principles of information systems security. However, this guide holds little practical value for ISSOs.

The Generally Accepted Information Security Principles (GAISP) guide has tried to serve as an authoritative foundation of existing INFOSEC standards by establishing a higher to lower hierarchical scheme of pervasive principles, broad functional principles, and detailed principles.

44

Unfortunately for ISSOs, the detailed principles are not yet developed so the GAISP, in its current version, hold little value for most ISSOs.

Germanys IT Security Guidelines and their companion IT Baseline Protection Manual provides IT managers and administrators in small and medium size companies with a comprehensive means of establishing a professional INFOSEC program. It contains highly detailed and field-proven security measures that all organizations, even those implementing the latest technologies, can readily implement. ISSOs will not find this level of detail in many of the other security standards documents. It is clearly most comprehensive work on IT security and ISSOs will find this manual highly informative and worthy of their investment.

COBIT is an IT management framework that describes what organizations need to achieve to exercise adequate management and control over their IT program. Its target audience is senior level managers who hold security, privacy, and risk responsibilities not the typical ISSO. COBIT does not provide any detailed practices describing how to manage or implement lower-level aspects of IT, rather it relies on complimentary documents such as the ISO 17799 standard and ISFs Standard of Good Practice for Information Security to round out its usefulness. Because COBIT lacks the level of detail needed for day-to-day security operations, it is of little value to ISSOs. At best, it may be a suitable compliment to other security documents, but on its own, it does not provide sufficient guidance for ISSOs.

The ISO 17799 standard is an internationally recognized guide that provides a set of controls considered to be good enough to implement a solid INFOSEC program. The

45

recommended controls are typically based on legislative requirements or common practices within the INFOSEC community. Therefore, complying with ISO 17799 brings a number of benefits to organizations and is an ideal beginning to achieving compliance under the HIPAA. The level of detail and flexibility that the ISO 17799 standard provides is ideal for ISSOs and it would not be difficult for them to implement the recommended control objectives. The ISO 17799 standard represents a rigorously structured guide sponsored by the efforts of a considerable group of experts, and goes a long way to improving INFOSEC in any size or type of organization. Therefore, ISSOs should thoroughly study this standard and make a serious commitment to implementing it.

Finally, BS 7799-2 stands as the complementary standard to ISO 17799 and therefore, familiarity with the ISO 17799 standard is sufficient for most ISSOs. The BS 7799-2 standard does however, add a process framework (similar to COBIT) that will be of interest to senior management. The process framework known as Plan-Do-Check-Act (PDCA) compares nicely with the steps in the GLBA and is an excellent guide with which to demonstrate compliance to the SOX Act. Perhaps the most important benefit of the BS 7799-2 standards is that it permits organizations to formally certify that they are compliant with this standard, which undoubtedly could provide them with a competitive advantage. According to the ISO Web site, over 1,800 organizations have already been certified against BS 7799-2.

Rating of INFOSEC Standards The seven standards reviewed in this paper represent those standards that have received consensus among the internationally community, and are generally recognized as important

46

milestones within the INFOSEC community. Table 3 summarizes their value to ISSOs. Certainly, there are more standards, some of which are identified in Appendix B. However, the limitations of this paper preclude a review of them all.

Table 3. Summary of INFOSEC standards and their helpfulness to ISSOs. Title Generally Accepted Principles and Practices for Securing Information Technology Systems OECD Guidelines for the Security of Information Systems and Networks Generally Accepted Information Security Principles (GAISP) German IT Security Guidelines COBIT ISO/IEC 17799 Code of Practice for Information Security Management BS 7799-2 Specification for Information Security Management Systems Helpfulness

47

Chapter 7 - INFOSEC Guidelines and Best Practices Within the context of INFOSEC, guidelines are advice given to show organizations how they should do something. While not obligatory, they are widely recognized as suitable and reliable means of meeting the security requirements of acts and standards. ISSOs can greatly benefit from reading guidelines because they often result from best practices, which in turn arise through experience and research. Therefore, guidelines and best practices are often the methods of the recognized leaders in the INFOSEC community, but have not yet made it to becoming a standard. These recognized leaders publish guidelines and best practices to ensure a consistent application of the intended regulation or standard. The following references represent the most common security guidelines and best practices that have influenced the development of, or have been derived from, many of the previously discussed acts and standards.

AICPA/CICA Privacy Framework The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) jointly established an enterprise-wide privacy task force to examine the role that certified public accountants / chartered accountants (CPAs/CAs) could play in helping businesses develop and implement privacy programs (American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2004). Their work resulted in the development of a Privacy Framework that they originally published on November 15, 2003, and later revised on March 22, 2004. The target audience of this document is CPAs and CAs both in industry and public practice because the task force concluded that they possess the skills necessary to implement effective privacy practices in any organization large or small (American Institute of Certified Public Accountants, Inc. and

48

Canadian Institute of Chartered Accountants, 2004). However, ISSOs will also gain a great deal of value from reading this document.

This is an important document because it introduces a privacy framework for protecting personal information, which ISSOs can use to guide and assist them in supporting their companys privacy program. Within the context of security objectives, the Privacy Framework aims to help businesses mitigate privacy risks and comply with privacy laws. ISSOs can use this framework to demonstrate assurance that their organization is meeting the security and safeguard components of the PIPEDA. Specifically, the section entitled Trust Services Privacy Components and Criteria, which provides relevant, objective, complete, and measurable criteria for evaluating an organizations INFOSEC safeguards (American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2004). Of particular relevance to ISSOs, the security criteria include INFOSEC program procedures and controls such as: 1. Administrative safeguards. These include conducting periodic risk assessments, handling security breaches and incidents, preventing unauthorized access, implementing software patches, and detecting actual and attempted attacks or intrusions. Technical safeguards. These include implementing logical access controls for remote access and configuring firewalls. Physical safeguards. These include enforcing physical access controls including archival and backup methods. Environmental safeguards. These include diminishing the risks of fire, flood, dust, power failure, and excessive heat and humidity.

2. 3. 4.

49

This document also uses numerous illustrations and explanations to help ISSOs understand the criteria and navigate the collage of privacy laws and guidelines. The Privacy Framework also includes an attachment that cross-references the privacy concepts that are illustrated in various domestic and international acts and guidelines such as the GLBA, HIPAA, PIPEDA, and OECD guidelines. While not comprehensive, this cross-reference table may be valuable to ISSOs who are juggling multiple acts and guidelines in parallel.

ISO/IEC TR13335 Guidelines for the Management of IT Security (GMITS) The main task of the International Organization for Standardization [jointly with the International Electromechanical Commission (ISO/IEC)] is to prepare and publish international standards. However, in exceptional circumstances, a technical committee may prepare a Technical Report when they have information to publish that is different from what is normally published as an international standard (International Organization for Standardization, & the International Electromechanical Commission, 1996). The ISO/IEC TR13335 falls into this category. In 1996, the ISO/IECs Joint Technical Committee started working on a series of technical reports under the general title of Guidelines for the Management of Information Technology Security (GMITS). Initially the GMITS was envisioned to be only three parts: Part 1 Concepts and models for IT security, Part 2 Managing and planning IT security, and Part 3 Techniques for the management of IT security, with a note that additional parts may be added in the future. In 2000, Part 4 Selection of safeguards was added, followed by Part 5 Management guidance on network security in 2001. Together, these five technical reports make up the GMITS.

50

The main purpose of these technical reports is to provide guidance on management aspects of IT security. These reports are not intended to prescribe solutions. Rather, ISSOs are expected to be able to adapt the information presented in these reports to meet their organizations needs. In general terms, these technical reports strive to (a) define and describe the concepts associated with the management of IT security, (b) identify the relationships between the management of IT security and management of IT in general, (c) present several models that explain IT security, and (d) provide general guidance on the management of IT security. To achieve these lofty goals, the ISO/IEC TR13335 is organized into five parts. Each of these parts is discussed independently below.

GMITS Part 1 - Concepts and models for IT security. Published in 1996, Part 1 presents the basic management concepts and models used to describe the management of IT security and is aimed at IT security managers. However, this knowledge is considered essential introductory material for all INFOSEC professionals. In only 18 pages, GMITS - Part 1 identifies how higher-level enterprise objectives, strategies, and policies influence the organizations security objectives, strategies, and polices. This report discusses the requirements for the definition of a policy; the identification of roles and responsibilities; systematic r