- Email: [email protected]
Achieving consistent security controls throughout a multinational organization
Computers
& Security, 13 (1994) 23-29
Achieving Consistent Security Controls Throughout a Multinational Organization Norman Hopp6 Zeyo
Consultants
Ltd, Suite 401, 302/308 Regent Street, London, WIR 5AL, UK.
The Requirement Having seen the title of this article, the reader may well be asking that notoriously computer-destructive question, “Why?..“. To answer the question, it is first necessary to establish that there is a requirement before moving on to what that requirement actually is, and then how to satisfy it. In every multinational organization there is a combination of external and internal requirements necessitating a level of consistent controls. Sometimes this ‘consistency layer’ is at a very high level, depending on the degree ofautonomy enjoyed by the individual operating companies. I have worked for some organizations whose middle managers were blissfully unconscious of their ‘parent’ in another country. In others it was only the spoken language and the strength of the coffee that gave clues to the geographic location ofa branch or subsidiary. The requirement for consistency obviously depends on the corporate culture, but only as far as level is concerned - not depth. The controls that are employed, may have to be fully complied with, not rigorously enforced, in one jurisdiction, partially applied in another and merely regarded as guidelines in a third.
0167-4048/94/$7.00
0 1994, Elsevier Science Ltd
Law and regulation Every company has at least some legislative and/or regulatory restrictions influencing the business it conducts. Increasingly, these jurisdictional rules are expanding to include privacy of information and control of access to information systems. The movement toward broadening and deepening of information protection rules, unfortunately, only applies to the commercial environment. Events in the news show that there are law-makers who believe that government departments should not be hampered in any way.
Technology High-speed international networks, ‘X’ technology and Open Systems have brought true sharing ofinformation to a global, certainly enterprise-wide scale. The traditional concept of implementing security to the Principle of Highest Classification may, in the foreseeable future mean protecting against the highest potential legal liability. External
threat
Today there are additional, more parochial security ‘drivers’. Intra-industrial competition has led to a number of well-publicized, and a multitude of
23
Achieving Consis tent Security Con fro/s/Norman Hopp6
widely-rumoured, ‘industrial espionage’ attacks on corporate information. Since the disintegration of the USSR, we hear frequently now of government agency interest in commercial and financial ‘intelligence’. There are hackers out there, and a fair proportion of them are teenagers mentally at least using our business systems as their toys or targets for graffiti. Recent market studies have shown that the negative impact from such attacks is not consistently high. More visible, however, are reports of proliferating virus-makers, some being caught and prosecuted, and especially potent, the wellpublicized raids carried out by anti-software theft agencies such as FAST and BSA.
Internal threat The illegal activities of rogue systems programmers, database administrators or money transfer operators (the latter hopefully forced to work in collusion to commit fraud) is well known and the traditional high threat. The greatest risk of all is from a deliberate damage attack. It is also the area of vulnerability most difficult to limit.
Disasters Natural disasters leading to the unavailability of systems or entire buildings have also been regarded as a serious threat. Recent terrorist activity in the City of London and in New York has underlined this area of risk. All of the above are global issues, whether the system at risk is a PC network or a vast installation of mainframes and minis supporting a wide variety of applications. A control structure designed for consistency assures simplicity in development, implementation, operation, maintenance and compliance.
corporations’boards, of the need for security controls.
some would say, ‘at long last’, aware consistently applied, standardized
The other catalyst is the result of the efforts by internal information security practitioners. Measurement is the key. This is the age of margin maintenance by means of rigorous cost control. With worldwide businesses operating in such an environment, the executive board of any company will be impressed by hard numbers that quantify losses caused both directly and indirectly by avoidable information systems incidents. They may also be impressed by supporting information in the form of output from a formal and objective risk analysis. Such information should cost all assets and then identity and quantify the vulnerabilities, risks and threats associated with those assets. But beware, such output must be complemented by a comprehensive plan for sorting out the issues that have been raised. Stepping forward in the belief that this state of ‘nirvana’ (a controls-conscious international executive) can be achieved, it is necessary to move through requirements definition to the next stage of the project. We can provide enough high-impact general information concerning the worldwide problems of maintaining integrity, confidentiality and availability of information. We can devise means of measuring recent losses and can undertake a risk analysis. We also believe that the external auditors are going to do their job.
Method
In the area of security the management of change can provide a challenge of monumental proportions. Before anything can be managed, however, the lumbering locomotive of change will need to be forced grudgingly into forward motion. Recently two catalysts powerful enough to initiate change have begun to emerge.
We believe that the case can be made, but what of the other half of the equation; the countermeasures implementation plan? A ‘strategic plan’ is needed from which a policy statement can be derived that will require the corporation, worldwide, to protect its information assets. The plan’s implementation is intended to change the corporate culture. Next the key projects need to be identified, that are required to support that strategy and comply with the policy. In other words a ‘tactical plan’. It is also necessary to scope day-to-day security activity and administration - an ‘operational plan’. All three of these plans must be implemented concurrently
Firstly, recent experience shows that the major audit practices have, over the last two years, become much more demanding in the area of information systems security, Their external audits are now making major
These three concurrent layers have been used to form the basis of Zergo’s Trident project architecture, which underpins a methodology that was devised entirely for commercial and financial companies.
Change
24
Computers & Security, Vol. 13, No. I
start:
Start
STRATEGIC OWNERSHIP PROGR
Start: End:
start: End: start:
Risk & Quality Method selection
End:
Business
QARM
start: End: start: End:
I
_
ME
TACTICAL ACTIVIT (PROJECTS)
Pet-SOIUl~l
System
Oqamsation Implementation
96
96 OPERATIONAI ACTIVITY Measurement
Figure 1: Security (and quality) Enhancement
Supporting organization It is impossible (not just difficult) to successfully undertake an exercise such as that illustrated in Figure 1, or any of its component parts, without having put in place a comprehensive organization structure able to facilitate controls specification, approval, implementation, maintenance and operation.The model shown in Figure 2 has a number of essential benefits. l
l
The security department ness it protects
is segregated
Each level of the organization activity: -Senior management ment decisions -Middle ship
management
-
undertakes
‘bottom
-
from the busi-
the relevant
line’risk
manage-
implementation
owner-
Project -
Trident architecture.
-Junior management and workforce tation and operation
-
implemen-
*Everyone participates in the process. This is achieved by undertaking the specified strategic activities, and the corporate-wide sub-projects, such as business resumption planning and information classification. This level of participation is necessary to assure the effectiveness of the security controls. It is essential that all areas of the organization are represented. The budget will therefore need to reflect the necessary travelling to enable participation, or at least a great deal of secured video conference time. Incidentally, securing the video conferencing facilities is an excellent minor global project with which to kick off the tactical line.
25
Achieving Consis tent Security Con fro/s/Norman Hopp6
Line Responsibility
EXECUTKF.
Figure
COLKIL
2: Corporate
Quality
& Risk
Strategic plan The first stage ofthe strategic plan-devising the policy -is probably the most demanding step ofall.The inputs exist however: the audit management letter, the security/operational risk manager/director’s report, and the summary of the risk analysis findings. Add to this mixture the following external influences: national legislation, national industry regulation, relevant national standards, national risk environments, local systems environments and local risk environments. Stir very gently, considering scope. Scope means; how close to the areas of quality, personnel security, physical security and health and safety are you going? Deciding up front is called strategic planning doing it later will be called a lot of other things. The deliverable should be a concise policy statement which is at a level just high enough to be pertinent to the entire corporation. The policy must however, be sufficiently specific to constitute a practical set of security directives - directly from the corporation’s chief executive. The policy is only the top layer of a multi-layered book of rules. The development and maintenance of the whole rule book will be the enabling mechanism which drags the whole corporation, no matter how disparate,
26
Management
(QARM)
structure.
fragmented and divided, into a consistently environment.
controlled
The organization supports the building of these documents. The security manual development project is the most practical way of creating a homogeneity of effort, overall security enhancement and - absolutely vital global security awareness. All components of a consistent controls structure. From this point forward the successful completion of all sub-projects and descriptions of other planned activities will be documented in this security manual. The model may well be altered to accommodate differences in the detail of the controls themselves. Figure Three shows a corporate-wide Level One with jurisdictional-specific Levels Two and Three below. But what about local legislation you ask? Is this not the pitfall? No, it does not matter. The legislation ‘box’is for any pertinent legislation, which has only been specified by type, not that which is specific to any one jurisdiction other than, perhaps, as guidance. It will be necessary from time to time to publish a ‘control objective’instead of documenting a mandatory control. This will be because it is not sensible to implement the particular control at that moment in the corporate lifetime. However, because it may be considered that the manual would suffer as a result of the
Computers & Security, Vol. 13, No. I
PRACTICES
t
LEVEL ‘i-WO
I
I COMMOK PROCEDURES
LEVEL THREE
rigure 3: Lorporate
ancl Local
C(AKIV1 or >ecunty
Manuals
control not being included for instance in the case of, say, standardized logical access control rules the control would be documented as being mandatory by a given date. The key is that the control objective would be forward-dated and must never be seen to be a guideline.
The ‘tactical’ stream, however, consists of projects that have been agreed through the organization’s executive committee. They have defined beginnings, middles and ends. Some of the projects will be security or quality specific, others will be the controls components of IT development or enhancement projects.
The signing of the policy and the development of the first issue of the corporate manual provide the ideal starting points for a structured awareness programme. The programme will enable the project manager to begin other important culture-changing activities such as the establishment of an ownership and custodianship regime. It is only then that guidelines, or better still, ‘codes of conduct’ should be produced. These will tell the readership ‘how to’ rather than ‘what to’.
1 believe in good old common-sense ‘baselining’, and am concerned about blinkered reliance on formal risk analysis, still viewed by some as the means to all ends. However, formal risk analysis does have significant benefits. Our project teams often use the British Government’s CRAMM or the AnalyZ methodology (developed jointly by Zergo and the National Westminster Bank). Both methodologies are used to underpin an ‘expertise-based’ review. This is found to be a legitimate approach, assuming both activities are visible but separated by a Chinese Wall. Whatever route is chosen, an acceptable risk analysis process needs to be identified, specified approved and adopted throughout the corporation.
Tactical Plan -
Projects
The strategic stream is an ongoing activity. It is planned and budgeted annually and is concerned with development and maintenance of a consistent controls-minded culture.
But should this be the first tactical project? In my view probably not. A known weakness, or at least an ‘easy-to-
27
Achieving Consis tent Security Controls/Norman Hopp6
buy-into’project should be addressed first. Standardizing an approach to logical access controls is a favourite, but across an international multi-platformed, varied application company, it may not be the 50/50-mix of high-impact and limited-risk that is required. Also such a project might well be seen to require full application ofa risk analysis process.To proceed without risk analysis for such an important project could jeopardize the adoption of such a process later. Setting sights lower could work. curity is simple common-sense, users as much as, ifnot more than, Consistent standards and practices ible, will significantly reduce the extremely visible.
For instance, PC seand it affects systems the systems providers. in this area are feasrisk level, and will be
Following adoption of an acceptable risk analysis methodology - business resumption planning - the tactical project with the highest impact, can be undertaken. The project will use all of the organizational structure, take a major portion ofthe structured document, and require a consistent approach to ensure its success, particularly if you are considering the use of intra-corporation reciprocal sites. The projects must be prioritized to suite the organization. Obviously only a few very major initiatives will be corporate-wide, others will be parochially orientated, but the methods and reasoning used should be consistent. The highest priority of the corporation will often not be the same as that of the local business unit. Resource planning to allow effective compromise in scheduling is therefore essential.
Figure 4: Granting or changing access rights to applications.
Even resolving an issue such as combining or separating security operations and data security administration functions may not be possible to achieve as a consistent solution across the whole organization. But at least, as Figuye FOUYshows, it is possible to standardize a flow of information that: provides confirmation and oversight, prevents unauthorized activity and ensures timeliness and completeness. Additional corporate standards and practices could include the security requirements of the media that carry this sensitive information.
Conclusions Operations To embark on the bottom line of the plan, with the objective of achieving corporate-wide consistency will probably mean raising your sights to the level of ‘approach’. The very nature of security operations requires structures and methods to be designed very specifically for local conditions, not for the multinational enterprise. However, in terms of approach, a degree of consistency can be achieved. The primary function of an information security operations section is to administer and/or operate logical access controls. A consistent practice and procedure set for the allocation, change and deletion of access rights can be applied globally.
28
To achieve the desired result, corporate control consistency requires a mandate from the level of management capable of authorizing enterprise-wide consistent change. It is essential, therefore, that the objectives are sold to this management level in a form which is understood there. We have found that this can be successfully achieved using the format of a planned and budgeted project, with a strong emphasis on cost-benefit analysis and a reasonably detailed resource plan. The project plan must also emphasize corporate-wide participation. Bolts of lightning thrown down from Olympian ivory towers are never popular and rarely successful. Divisional or subsidiary autonomy has often
Computers & Security, Vol. 13, No. I
been won as a result of long and bloody campaigns. Consequently anything that indicates a project being ‘run from the centre’ is seen to mean a loss of autonomy and stands a good chance of being buried very quickly. Spending weeks, or even months, developing an elegant strategy before doing anything tangible could gradually lose the controls specialist his or her support from above, below, and even the peer group. In this case visibility is minimal for a long time, with only a tiny minority able to see the work in progress. Substantial impact will be achieved by using time-sliced work patterns enabling (over the period of, say, a month) concurrent strategic (corporate culture) work, undertaking useful security projects participation in IT projects and effectively operating day-to-day security mechanisms. Visibility would be unconstrained, allowing the opportunity to market the necessary positive messages.
Corporate inspectors, internal auditors, compliance officers, quality assurers, security specialists, personnel professionals and organization and methods specialists, would all gain immense benefits should such a corporate-wide controls initiative be successful. If all of these controls and ‘semi-controls’ departments were to work cohesively on a project such as this, then success would obviously be far easier to achieve than if any specialist group were to attempt such an exercise in isolation. Ironically such cohesion, such consistency of effort, is seldom attempted, rarely achieved and almost never maintained. Norman Hoppk is a primary lecturer for Zergo’s training division, where he is responsible for training security staff and internal auditor< at the UK’s main clearing banks and other major European financial institutions. He is also head of Zergo’s Management Consultancy Group. He is an IT advisor to the Centre for International Documentation of Organized and Economic Crime, and is a member ofboth the ISSA and EDI’AA.
29
& Security, 13 (1994) 23-29
Achieving Consistent Security Controls Throughout a Multinational Organization Norman Hopp6 Zeyo
Consultants
Ltd, Suite 401, 302/308 Regent Street, London, WIR 5AL, UK.
The Requirement Having seen the title of this article, the reader may well be asking that notoriously computer-destructive question, “Why?..“. To answer the question, it is first necessary to establish that there is a requirement before moving on to what that requirement actually is, and then how to satisfy it. In every multinational organization there is a combination of external and internal requirements necessitating a level of consistent controls. Sometimes this ‘consistency layer’ is at a very high level, depending on the degree ofautonomy enjoyed by the individual operating companies. I have worked for some organizations whose middle managers were blissfully unconscious of their ‘parent’ in another country. In others it was only the spoken language and the strength of the coffee that gave clues to the geographic location ofa branch or subsidiary. The requirement for consistency obviously depends on the corporate culture, but only as far as level is concerned - not depth. The controls that are employed, may have to be fully complied with, not rigorously enforced, in one jurisdiction, partially applied in another and merely regarded as guidelines in a third.
0167-4048/94/$7.00
0 1994, Elsevier Science Ltd
Law and regulation Every company has at least some legislative and/or regulatory restrictions influencing the business it conducts. Increasingly, these jurisdictional rules are expanding to include privacy of information and control of access to information systems. The movement toward broadening and deepening of information protection rules, unfortunately, only applies to the commercial environment. Events in the news show that there are law-makers who believe that government departments should not be hampered in any way.
Technology High-speed international networks, ‘X’ technology and Open Systems have brought true sharing ofinformation to a global, certainly enterprise-wide scale. The traditional concept of implementing security to the Principle of Highest Classification may, in the foreseeable future mean protecting against the highest potential legal liability. External
threat
Today there are additional, more parochial security ‘drivers’. Intra-industrial competition has led to a number of well-publicized, and a multitude of
23
Achieving Consis tent Security Con fro/s/Norman Hopp6
widely-rumoured, ‘industrial espionage’ attacks on corporate information. Since the disintegration of the USSR, we hear frequently now of government agency interest in commercial and financial ‘intelligence’. There are hackers out there, and a fair proportion of them are teenagers mentally at least using our business systems as their toys or targets for graffiti. Recent market studies have shown that the negative impact from such attacks is not consistently high. More visible, however, are reports of proliferating virus-makers, some being caught and prosecuted, and especially potent, the wellpublicized raids carried out by anti-software theft agencies such as FAST and BSA.
Internal threat The illegal activities of rogue systems programmers, database administrators or money transfer operators (the latter hopefully forced to work in collusion to commit fraud) is well known and the traditional high threat. The greatest risk of all is from a deliberate damage attack. It is also the area of vulnerability most difficult to limit.
Disasters Natural disasters leading to the unavailability of systems or entire buildings have also been regarded as a serious threat. Recent terrorist activity in the City of London and in New York has underlined this area of risk. All of the above are global issues, whether the system at risk is a PC network or a vast installation of mainframes and minis supporting a wide variety of applications. A control structure designed for consistency assures simplicity in development, implementation, operation, maintenance and compliance.
corporations’boards, of the need for security controls.
some would say, ‘at long last’, aware consistently applied, standardized
The other catalyst is the result of the efforts by internal information security practitioners. Measurement is the key. This is the age of margin maintenance by means of rigorous cost control. With worldwide businesses operating in such an environment, the executive board of any company will be impressed by hard numbers that quantify losses caused both directly and indirectly by avoidable information systems incidents. They may also be impressed by supporting information in the form of output from a formal and objective risk analysis. Such information should cost all assets and then identity and quantify the vulnerabilities, risks and threats associated with those assets. But beware, such output must be complemented by a comprehensive plan for sorting out the issues that have been raised. Stepping forward in the belief that this state of ‘nirvana’ (a controls-conscious international executive) can be achieved, it is necessary to move through requirements definition to the next stage of the project. We can provide enough high-impact general information concerning the worldwide problems of maintaining integrity, confidentiality and availability of information. We can devise means of measuring recent losses and can undertake a risk analysis. We also believe that the external auditors are going to do their job.
Method
In the area of security the management of change can provide a challenge of monumental proportions. Before anything can be managed, however, the lumbering locomotive of change will need to be forced grudgingly into forward motion. Recently two catalysts powerful enough to initiate change have begun to emerge.
We believe that the case can be made, but what of the other half of the equation; the countermeasures implementation plan? A ‘strategic plan’ is needed from which a policy statement can be derived that will require the corporation, worldwide, to protect its information assets. The plan’s implementation is intended to change the corporate culture. Next the key projects need to be identified, that are required to support that strategy and comply with the policy. In other words a ‘tactical plan’. It is also necessary to scope day-to-day security activity and administration - an ‘operational plan’. All three of these plans must be implemented concurrently
Firstly, recent experience shows that the major audit practices have, over the last two years, become much more demanding in the area of information systems security, Their external audits are now making major
These three concurrent layers have been used to form the basis of Zergo’s Trident project architecture, which underpins a methodology that was devised entirely for commercial and financial companies.
Change
24
Computers & Security, Vol. 13, No. I
start:
Start
STRATEGIC OWNERSHIP PROGR
Start: End:
start: End: start:
Risk & Quality Method selection
End:
Business
QARM
start: End: start: End:
I
_
ME
TACTICAL ACTIVIT (PROJECTS)
Pet-SOIUl~l
System
Oqamsation Implementation
96
96 OPERATIONAI ACTIVITY Measurement
Figure 1: Security (and quality) Enhancement
Supporting organization It is impossible (not just difficult) to successfully undertake an exercise such as that illustrated in Figure 1, or any of its component parts, without having put in place a comprehensive organization structure able to facilitate controls specification, approval, implementation, maintenance and operation.The model shown in Figure 2 has a number of essential benefits. l
l
The security department ness it protects
is segregated
Each level of the organization activity: -Senior management ment decisions -Middle ship
management
-
undertakes
‘bottom
-
from the busi-
the relevant
line’risk
manage-
implementation
owner-
Project -
Trident architecture.
-Junior management and workforce tation and operation
-
implemen-
*Everyone participates in the process. This is achieved by undertaking the specified strategic activities, and the corporate-wide sub-projects, such as business resumption planning and information classification. This level of participation is necessary to assure the effectiveness of the security controls. It is essential that all areas of the organization are represented. The budget will therefore need to reflect the necessary travelling to enable participation, or at least a great deal of secured video conference time. Incidentally, securing the video conferencing facilities is an excellent minor global project with which to kick off the tactical line.
25
Achieving Consis tent Security Con fro/s/Norman Hopp6
Line Responsibility
EXECUTKF.
Figure
COLKIL
2: Corporate
Quality
& Risk
Strategic plan The first stage ofthe strategic plan-devising the policy -is probably the most demanding step ofall.The inputs exist however: the audit management letter, the security/operational risk manager/director’s report, and the summary of the risk analysis findings. Add to this mixture the following external influences: national legislation, national industry regulation, relevant national standards, national risk environments, local systems environments and local risk environments. Stir very gently, considering scope. Scope means; how close to the areas of quality, personnel security, physical security and health and safety are you going? Deciding up front is called strategic planning doing it later will be called a lot of other things. The deliverable should be a concise policy statement which is at a level just high enough to be pertinent to the entire corporation. The policy must however, be sufficiently specific to constitute a practical set of security directives - directly from the corporation’s chief executive. The policy is only the top layer of a multi-layered book of rules. The development and maintenance of the whole rule book will be the enabling mechanism which drags the whole corporation, no matter how disparate,
26
Management
(QARM)
structure.
fragmented and divided, into a consistently environment.
controlled
The organization supports the building of these documents. The security manual development project is the most practical way of creating a homogeneity of effort, overall security enhancement and - absolutely vital global security awareness. All components of a consistent controls structure. From this point forward the successful completion of all sub-projects and descriptions of other planned activities will be documented in this security manual. The model may well be altered to accommodate differences in the detail of the controls themselves. Figure Three shows a corporate-wide Level One with jurisdictional-specific Levels Two and Three below. But what about local legislation you ask? Is this not the pitfall? No, it does not matter. The legislation ‘box’is for any pertinent legislation, which has only been specified by type, not that which is specific to any one jurisdiction other than, perhaps, as guidance. It will be necessary from time to time to publish a ‘control objective’instead of documenting a mandatory control. This will be because it is not sensible to implement the particular control at that moment in the corporate lifetime. However, because it may be considered that the manual would suffer as a result of the
Computers & Security, Vol. 13, No. I
PRACTICES
t
LEVEL ‘i-WO
I
I COMMOK PROCEDURES
LEVEL THREE
rigure 3: Lorporate
ancl Local
C(AKIV1 or >ecunty
Manuals
control not being included for instance in the case of, say, standardized logical access control rules the control would be documented as being mandatory by a given date. The key is that the control objective would be forward-dated and must never be seen to be a guideline.
The ‘tactical’ stream, however, consists of projects that have been agreed through the organization’s executive committee. They have defined beginnings, middles and ends. Some of the projects will be security or quality specific, others will be the controls components of IT development or enhancement projects.
The signing of the policy and the development of the first issue of the corporate manual provide the ideal starting points for a structured awareness programme. The programme will enable the project manager to begin other important culture-changing activities such as the establishment of an ownership and custodianship regime. It is only then that guidelines, or better still, ‘codes of conduct’ should be produced. These will tell the readership ‘how to’ rather than ‘what to’.
1 believe in good old common-sense ‘baselining’, and am concerned about blinkered reliance on formal risk analysis, still viewed by some as the means to all ends. However, formal risk analysis does have significant benefits. Our project teams often use the British Government’s CRAMM or the AnalyZ methodology (developed jointly by Zergo and the National Westminster Bank). Both methodologies are used to underpin an ‘expertise-based’ review. This is found to be a legitimate approach, assuming both activities are visible but separated by a Chinese Wall. Whatever route is chosen, an acceptable risk analysis process needs to be identified, specified approved and adopted throughout the corporation.
Tactical Plan -
Projects
The strategic stream is an ongoing activity. It is planned and budgeted annually and is concerned with development and maintenance of a consistent controls-minded culture.
But should this be the first tactical project? In my view probably not. A known weakness, or at least an ‘easy-to-
27
Achieving Consis tent Security Controls/Norman Hopp6
buy-into’project should be addressed first. Standardizing an approach to logical access controls is a favourite, but across an international multi-platformed, varied application company, it may not be the 50/50-mix of high-impact and limited-risk that is required. Also such a project might well be seen to require full application ofa risk analysis process.To proceed without risk analysis for such an important project could jeopardize the adoption of such a process later. Setting sights lower could work. curity is simple common-sense, users as much as, ifnot more than, Consistent standards and practices ible, will significantly reduce the extremely visible.
For instance, PC seand it affects systems the systems providers. in this area are feasrisk level, and will be
Following adoption of an acceptable risk analysis methodology - business resumption planning - the tactical project with the highest impact, can be undertaken. The project will use all of the organizational structure, take a major portion ofthe structured document, and require a consistent approach to ensure its success, particularly if you are considering the use of intra-corporation reciprocal sites. The projects must be prioritized to suite the organization. Obviously only a few very major initiatives will be corporate-wide, others will be parochially orientated, but the methods and reasoning used should be consistent. The highest priority of the corporation will often not be the same as that of the local business unit. Resource planning to allow effective compromise in scheduling is therefore essential.
Figure 4: Granting or changing access rights to applications.
Even resolving an issue such as combining or separating security operations and data security administration functions may not be possible to achieve as a consistent solution across the whole organization. But at least, as Figuye FOUYshows, it is possible to standardize a flow of information that: provides confirmation and oversight, prevents unauthorized activity and ensures timeliness and completeness. Additional corporate standards and practices could include the security requirements of the media that carry this sensitive information.
Conclusions Operations To embark on the bottom line of the plan, with the objective of achieving corporate-wide consistency will probably mean raising your sights to the level of ‘approach’. The very nature of security operations requires structures and methods to be designed very specifically for local conditions, not for the multinational enterprise. However, in terms of approach, a degree of consistency can be achieved. The primary function of an information security operations section is to administer and/or operate logical access controls. A consistent practice and procedure set for the allocation, change and deletion of access rights can be applied globally.
28
To achieve the desired result, corporate control consistency requires a mandate from the level of management capable of authorizing enterprise-wide consistent change. It is essential, therefore, that the objectives are sold to this management level in a form which is understood there. We have found that this can be successfully achieved using the format of a planned and budgeted project, with a strong emphasis on cost-benefit analysis and a reasonably detailed resource plan. The project plan must also emphasize corporate-wide participation. Bolts of lightning thrown down from Olympian ivory towers are never popular and rarely successful. Divisional or subsidiary autonomy has often
Computers & Security, Vol. 13, No. I
been won as a result of long and bloody campaigns. Consequently anything that indicates a project being ‘run from the centre’ is seen to mean a loss of autonomy and stands a good chance of being buried very quickly. Spending weeks, or even months, developing an elegant strategy before doing anything tangible could gradually lose the controls specialist his or her support from above, below, and even the peer group. In this case visibility is minimal for a long time, with only a tiny minority able to see the work in progress. Substantial impact will be achieved by using time-sliced work patterns enabling (over the period of, say, a month) concurrent strategic (corporate culture) work, undertaking useful security projects participation in IT projects and effectively operating day-to-day security mechanisms. Visibility would be unconstrained, allowing the opportunity to market the necessary positive messages.
Corporate inspectors, internal auditors, compliance officers, quality assurers, security specialists, personnel professionals and organization and methods specialists, would all gain immense benefits should such a corporate-wide controls initiative be successful. If all of these controls and ‘semi-controls’ departments were to work cohesively on a project such as this, then success would obviously be far easier to achieve than if any specialist group were to attempt such an exercise in isolation. Ironically such cohesion, such consistency of effort, is seldom attempted, rarely achieved and almost never maintained. Norman Hoppk is a primary lecturer for Zergo’s training division, where he is responsible for training security staff and internal auditor< at the UK’s main clearing banks and other major European financial institutions. He is also head of Zergo’s Management Consultancy Group. He is an IT advisor to the Centre for International Documentation of Organized and Economic Crime, and is a member ofboth the ISSA and EDI’AA.
29