Implementing Information Security: Risks vs. Cost
Gideon T. Rasmussen - CISSP, CISM, CFSO, SCSA
a security professional who understands how the business
world works, I wrote this article to convey the imperative
need for security professionals and senior management to
see eye-to-eye. Being motivated by business, senior management
focuses on productivity and the bottom line. It is sometimes
difficult to calculate a return on investment for security,
but the damage caused by the absence of efficient controls
is far greater than the cost of implementing them.
the past few years, there have been several highly publicized
security incidents ranging from fraud to terrorism. These
events demonstrated the need for disaster recovery plans
and checks and balances within accounting systems. Many
threats present themselves internally in the form of disgruntled
or dishonest employees or as the result of social engineering.
Human error and neglect are also examples of internal threats.
New threats emerge daily. For more information, refer to
the CSI/FBI Computer Crime and Security Survey.
U.S. is beginning to mandate information security based
on the concepts of due diligence and the prudent man principle.
The most recent examples are the Sarbanes-Oxley Act (SOX),
the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance
Portability and Accountability Act (HIPAA). Compliance with
government regulations represents a threat of a sort. Under
SOX, senior management is responsible for the accuracy of
financial statements. Criminal penalties include fines of
$1-5 million and prison terms of 10-20 years. A popular
international standard is the Code of Practice for Information
Security Management (ISO 17799).
of control frameworks have been developed to meet financial
and IT security concerns. Two of the leading standards are
the Internal Control - Integrated Framework - Committee
of Sponsoring Organizations of the Treadway Commission (COSO)
and Control Objectives for Information and related Technology
governance and compliance must be addressed with a formal
information security program. Basic elements include security
policies, an annual audit and internal controls to mitigate
threats and vulnerabilities. Nothing can take the place
of an information security audit. It is critical to take
a snapshot of each site's security posture and work against
management should be aware of the state of the information
security program. Usually this is facilitated through an
annual security audit report and monthly security status
the absence of current information, it is a good exercise
to ask the following questions of information security management:
employees required to sign off on the general security policy
and specific policies in their functional area as well?
have applicable security standards been met (e.g. SOX, GLBA
control frameworks are in use (e.g. COSO, CobiT and/or ISO
are logical and physical perimeters defined? Please provide
rationale and diagrams.
security built into custom applications from the design
all systems routinely patched and hardened?
strictly controlled development environments in place (e.g.
development, quality & user acceptance)?
is the maturity level of business continuity and disaster
accesses systematically rescinded when an employee leaves
or their role changes?
general, are internal controls layered (i.e. defense-in-depth
are the concepts of least privilege and separation of duties
a tactical incident response program in place?
are the details of the security
recently have each of these topics been addressed? Are they
a culture of security is critical. Information security
managers must be well versed in the breadth of the IT career
field and other disciplines as well (e.g. physical security,
accounting and human resources management). In addition,
a security manager must be a passionate advocate and an
effective communicator. Interpersonal skills should include
the ability to communicate in non-technical terms.
small organizations lack a dedicated information security
professional. This practice should be avoided. As you can
see, an effective security program requires constant care
and feeding. A dedicated information security professional
will reduce the high cost associated with unmanaged risk.
the impact on an organization if it does not adequately
mitigate risks. In the end, how an organization approaches
security depends on its appetite for risk. A healthy dose
of paranoia is warranted here. After all, the stakes are
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission