Security management and operations should not be viewed as an isolated or islanded process. In fact, they have interwoven relationship with other IT processes. Under ITIL v32
, security management is one of the key processes categorized under Security Design3
. It is defined as the process that ensures confidentiality, integrity and availability (known as “C-I-A triad”) of information assets and IT services. Besides Security Design, the processes under Service Operations are also heavily linked to security. Security management and operations should be viewed as an integral part of all ITIL processes because information security must be effectively managed in all services and service management activities.
This newsletter describes how a University can design and implement security management and security operations according to industry’s best practices.
The word “management” means the act or skills of planning, leading, controlling and making decisions on achieving targeted goals. Likewise, security management is about controlling and making decisions on security matters. On the contrary, many organizations and security personnel are constantly firefighting with problems and incidents. Instead of controlling security matters, they are being “controlled” by the fuss from their daily chores.
Good security management should at least include the elements of understanding the risk exposure of an organization, building a sound governance to manage security, and monitoring security continuously so as to assure that protections are in effective.
To manage security effectively, an organization must understand its security risk posture in the first place. For example, banks often undergo hacking intrusions on their online banking systems. So banks will have to design and implement sufficient security protection for their online banking systems. For Universities, the risk varies. Those best suits the banks in terms of security may not be applicable to a University environment. It will be more appropriate for a University to go through a comprehensive risk assessment exercise which is a process to identify and evaluate risks, the potential impact on the University, and the probabilities that a particular event will occur. Once security risks are identified and evaluated, appropriate security controls and countermeasures can then be determined to effectively manage perceived risks.o manage security effectively, an organization must understand its security risk posture in the first place. For example, banks often undergo hacking intrusions on their online banking systems. So banks will have to design and implement sufficient security protection for their online banking systems. For Universities, the risk varies. Those best suits the banks in terms of security may not be applicable to a University environment. It will be more appropriate for a University to go through a comprehensive risk assessment exercise which is a process to identify and evaluate risks, the potential impact on the University, and the probabilities that a particular event will occur. Once security risks are identified and evaluated, appropriate security controls and countermeasures can then be determined to effectively manage perceived risks.
Examples – Security Governance
There are many ways of raising IT security policy awareness. Examples include:
Design appropriate banners and posters and place in conspicuous area
Display awareness messages in logon banners and screen savers
Post articles and written materials regularly on the internal information security web portal
Include an awareness session on information security during new employee orientation training
Broadcast through email reminders
Use social media platform such as yammer to spread awareness
“If you can’t measure it, you can’t manage it.” -- Peter Drucker, The management of guru
Similarly, security can be better managed if a set of metrics can be developed and adopted for measurement.
One of the weakest doorkeepers of security is people. If users do not know how to practice safe computing, malicious software can be dropped onto their end points insensibly. If there is no baseline for IT department personnel to follow when configuring network infrastructure and developing applications, vulnerabilities can be introduced luring attackers to compromise the systems.
In order to manage security effectively, Universities are advised to develop and enforce a set of security policies, standards and guidelines. These documents will outline the management directives and security requirements on how to protect confidentiality, integrity and availability of critical information assets.
The successful roll-out of security governance hinges on the effective coordination and communication of the varied stakeholders during development, implementation, gap analysis and regular review of the policies, standard and guidelines. Therefore, clear segregation of responsibility and organizational roles should be defined to properly administer information security. Beyond that awareness training and education promotion are also essential, so that the University community can always be reminded to read, understand and follow the established policies, standards and guidelines.
Security solutions should be designed with two focus areas: functional and assurance requirements. Functional requirements refer to the aspects of a solution such as features and capabilities of a firewall. It is common that IT personnel will focus on the functions but ignore assurance requirements which are about verifying that security solutions are selected and implemented as intended.
Assurance can include the following activities:
1. Execute monitoring and reviewing on procedures and other supplementary controls to:
Promptly identify attempted and successful security breaches and incidents;
Give management direct vision that whether the security activities delegated to people or implemented are performed as expected;
Help detect security events and thereby prevent security incidents by the use of indicators; and;
Determine whether the actions taken to resolve a breach of security were effective.
2. Undertake regular security review and vulnerability assessment to assess risks and effectiveness of implemented controls.
3. Measure the effectiveness of controls to verify that security requirements have been met.
4. Update security policy on a regular basis and take into account the observations during monitoring and reviewing activities.
Universities can start off by defining service level agreements which cover security management requirements such as availability. Other measurement figures such as the number of security incidents, percentage of machines with latest malware signature updates, percentage of servers with latest patches updated can be calculated.
"...it is not the strongest of the species that survives, nor the most intelligent; it is the one that is the most adaptable to change.” --Charles Darwin
Change management comes in plenty of forms5.
- If the change request is for a routine change, the routine change workflow needs to take place which may not require extra approvals.
- If the change request is for a comprehensive or emergency change, approval needs to be obtained from change advisory board (CAB) before going through the emergency change workflow.
- If the change request is for a comprehensive or emergency change with high risks, extra special approval needs to be addressed. for example, if the change request will trigger service downtime and possibly financial loss to the company, CFO needs to be involved in the approval flow.
Security operations, as the name implies, refer to operational practice for dealing with security matters. A set of operational manuals are setup accordingly as baselines for security professionals to follow during their daily operational tasks. “Service Operation” as defined in ITIL v3 refers to the operational processes to make sure that IT services are delivered effectively and efficiently. Similarly, security operations is to discipline the operational processes to a defined security level and tackle the risk exposures identified in between.
Organizations encounter change requests frequently on its IT services. Change management is a systematic approach for managing the security risks underlying each change. Change advisory board (CAB) should be established involving key stakeholders to prioritize and approve the change requests. Both technical and business perspectives should be evaluated during change management processes.
A typical change management process is initiated at the time of a request-forchange (RFC) creation. CAB then reviews the RFC and assesses the risks whilst testing and validation of the changes (i.e. technical review) are required in parallel sometimes to point out what adverse impacts would be triggered. If system downtime or other business critical issues could possibly happen, contingency such as backup plan is required to restore the business within a tolerable timeframe. Since the success of change implementation cannot be foreseen, having a fall back plan is always a wise choice. Once the RFC is approved, changes will be implemented and the change management process ends when post-implementation review has been completed.
Access controls to an organization’s applications and networks rely upon the authorization and authentication of users. Validation of credential is essential to truly identify an individual. Compromised credentials, particularly those with high privileges, allow attackers to behave as an insider to compromise system. Organization like University community is acquiring incremental users while new students enroll. Hence the University should seek for a solution to tackle the emerging risks brought by credential management.
The University should design and implement an appropriate credential management process to manage the passwords, keys and certificates and keep track of the status suc
h as password change, certification expiration and renewal to ensure the effective operations.
Security Incident and Event Management
Security Information and Event Management (SIEM) monitors and analyzes the traffic of network and applications. SIEM services can be provided by either software tool or appliances, and even managed services.
By monitoring the real-time data, SIEM can correlate security events with preset rules and generate alert for threats or incidents. In addition, it can generate incident reports and compliance reports for efficient security operation management.
Case Study – Incident Management7
At the University of Oviedo, there are 30,000 people across four campuses: Oviedo, Gijón, Avilés and Mieres. Incident management is performed at two action levels: institution level and education centre level. At institution level is the User Care Centre (UCC). It sorts out IT problems for the academic and administrative communities as a whole. There is an automated IT incident management tool (XPERTA), as well as an institutional website for support. At education centre level, which can be a specific faculty, the service provides lecturers and students with assistance for incidents arising from teaching-related activities.
The purpose of incident management is to restore business within tolerable service interruption and to minimize the business impact incurred so as that service availability can be maintained.
Incident management can include the following activities:
Detect and log incident based on service interruption or server and system alerts;
Categorize the incident according to predefined priority levels and take corresponding escalation procedures;
Investigate the incident and analyze the root cause (for example, the service interruption is caused by malware affection);
Resolve the problem and recover the business operation;
Close the incident case after service resumption; and
Review the incidents and update the incident handling processes to the continuous service operation.
Besides implementing, periodic incident management training should be provided to operation personnel.
Security Device Management
Security devices include routers, firewalls, Intrusion Detection System (IDS), Intrusion Protection System (IPS) and other devices which are deployed as security measures to protect from security threats. Security device management refers to monitoring and maintaining security devices. Patches and updates are critical to maintain the currency of the security devices against latest threats, where applicable, security rulesets and signature updates should be applied for detecting and preventing threats.
In addition to prevailing security devices, leading security vendors are launching new security devices and modules on discovering cyber threats and malware attacks in zero-day.
Separation of Duties9
Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions.
Specific examples of segregation of duties are as follows:
- The person who requisitions the purchase of goods or services should not be the person who approves the purchase.
- The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports.
- The person who approves the purchase of goods or services should not be able to obtain custody of checks.
- The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.
Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act.
Threat and Vulnerability Management
Threat and vulnerability management provides a proactive approach for an organization to mitigate the risks presence. It is driven by the business initiatives to assess the potential critical impacts and the likelihood of threats occurrence. A threat and vulnerability management program include three key elements8:
Asset Inventory (where information resides)
Threat and Vulnerability Analysis (identify threats and analyze the likelihood of impact, a threat level should be assigned)
Vulnerability Management (use countermeasures and mitigation controls to lower the risk posed by threats and vulnerabilities identified)
For organizations, threat and vulnerability management facilitates the risk mitigation in security operations. By adopting a risk-based approach, threats and vulnerabilities should be identified and the likelihood of impact should be analyzed. Tools can be utilized to assist threat and vulnerability management. For universities, a pragmatic threat and vulnerability management program should be developed and periodic vulnerability assessments should be performed to eliminate the security threats.
Reminder about Separation of Duties
For the sake of avoiding conflict of interest in security operations, separation of duties defines clear roles and responsibilities among different individuals. It also proves to be an effective way to prevent fraud and error. How do universities know how well they are performing?
Key Performance Index
Key performance index (KPI) is quantifiable measurement to reflect the success of an activity (e.g. security management and operations). To determine the efficiency and effectiveness of security management and operations, examples of KPI include the following:
Business protected against security violations, such as decrease in security breaches and incidents;
Increase in the acceptance and conformance of security policy and process in meeting with the business objectives;
Increase in support and commitment of senior management on security management and operations procedures;
An effective mechanism for improving the security policies and controls;
Increase in staff awareness of security knowledge and best practices; and
Improvement on service levels performed by IT Service Desk.
Security management and operations are integral components in achieving business excellence. Security Management evaluates and manages corporate risks in terms of Information Security. Security Operations provides detection, investigation and remediation on IT threats, cyber intrusions and incidents.
Universities should make a great effort in adopting security best practices to tackle the threats undergone in daily operations.
- We are actually referring to information security management. For simplicity sake, the term “security management” is used throughout this newsletter.
- A set of Best Practice guidance for IT Service Management. ITIL is owned by the Office of Government Commerce in UK. It consists of a series of publications giving guidance on the provision of quality IT services, and on the processes and facilities needed to support them. Please refer to http://www.itil.co.uk for more information.
- ITIL v3 defines 5 core components - Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.
- "Taking the First Step with PDCA" 2 February 2009.
- "Case Study – Advanced Approval Workflow. " 26 August 2014.
- "JOnline: Log Management: A Pragmatic Approach to PCI DSS - ISACA" By Prakhar Srivastava and Tarun Verma
- "Information Technology Incident Management: A Case Study of the University of Oviedo and the Faculty of Teacher Training and Education" July 2012.
- "Key Elements of a Threat and Vulnerability Management Program" By John P. Pironti, 2006.
- "SEGREGATION OF DUTIES (PREVENTIVE & DETECTIVE) – UCLA Corporate Financial Services".