“The charm of history and its enigmatic lesson consist in the fact that, from age to age, nothing changes and yet everything is completely different.” Aldous Huxley
My entire professional career, as well as that of my husband, has been in information security, risk, and controls. For the better part of 30 years, we found ourselves in countless discussions with management of various organizations, enumerating risks and recommendations to protect company reputation, information, business capability, and adoption of emerging technology. Readers of this book will relate to the typical management discussion scenario: imprecision about the exact nature of the risk and its probability of occurrence, and lack of definition about the costs associated with an acceptable level of mitigation. It is subjective opinion to describe what could go wrong, the probability it will go wrong, and how much exactly would need to be done to prevent loss. Therefore, it was quite the interesting experience to be on the receiving end of the risk discussion when we decided that we would begin implementing a personal family disaster plan. It makes sense: we live in a seismically active region with a dormant volcano, surrounded by water with one road for ingress and egress. As we collected proposals and bids for creating a sense of self-reliance in the event of a major seismic event, we realized, “This is crazy! What are the chances that this would really happen? This is ridiculously expensive!”Then we had a good laugh at the irony of our reaction.
I share this personal vignette to illustrate a point: as risk and control professionals, we are collectively in the position of trying to predict exposure and to mitigate it to healthy levels. It is not an easy task for the prognosticator or the receiver of the news. Looking back 20 years, it wasn’t easy to evaluate risk and visualize a control framework in anticipation of distributed computing, it wasn’t easy when the Internet was commercialized, it wasn’t easy for the Y2K event, and it is not easy for Cloud Computing. It is much harder now in the second decade of the 21st century. As risk and control professionals, we must constantly be evaluating new ways to streamline what we do because the “hamster wheel of pain” for reducing IT risk in this rapidly emerging world of IT opportunity is not slowing down.
For example, Cloud Computing has dominated the discussion of cutting edge IT for much of the last decade. Cloud Computing in all its various forms brings benefits of enterprise computing capability without the commitment and investment required by “in-house” computing capabilities: expertise of specialized people, hardware, software licenses, power, floor tiles, third-party contracts, and so forth. Arguably, Cloud Computing provides a layer of abstraction between the core business focus of an enterprise, and the nuts-and-bolts operations of the IT necessary to make it work. It also brings with it risk and control issues that, as of writing, are not well understood by business management and are not resolved.
The stakes are higher than they have ever been for IT. Of all the external factors that could influence the success of a company, technology is the most critical. Market factors, globalization, people skills, socioeconomics, and regulatory factors are all taking a back-seat to the recognized impact that technology can have upon the competitiveness and opportunity of the enterprise based upon IBM’s study involving more than 1,700 chief executive officers. This is unprecedented. The opportunities perceived in Cloud Computing models are just a part of the reason that technology is front of mind for executives: the realization of the opportunity and impact of IT has brought its criticality into focus.
Technology is the backbone of life in developed nations. Electricity, water, food distribution, transportation, accessibility to information and data, finance, and telecommunications would be seriously disrupted if the information technology infrastructure were to be unavailable. But executives’ focus on technology goes beyond assuring its availability. The evolution of technology, the disruptive nature of its influence on society and business, and the opportunity available to those who are able to seize it and exploit it fuels innovation and imagination and drives new business and social benefit.
In this competitive, dynamic, technology-rich field of opportunity, risk and control professionals find themselves increasingly on the horns of a dilemma. Managing risk has more unknowns, and due diligence for the protection of sensitive information assets is not fully understood by adopters. Coming quickly on the heels of Cloud Computing adoption are technology opportunities (and associated challenges) such as social business, crowdsourcing, bring–your-own-device mobile computing, consumerization of IT, big data, and the Internet of Things. These opportunities, and others, are individually and collectively a representation of “cutting edge IT.” Every chief information officer (CIO) and chief information security officer (CISO) has experienced the balancing act of budget, legacy IT, and the seductive apparent promise of cutting edge IT. As a community, we have been behind the power curve in this balancing act since computing emerged from its glasshouse.
At the same time, the threat environment surrounding information systems has never been more opportunistic. While each organization will need to evaluate risk individually, the need for a streamlined approach to managing risk to responsible levels has never been greater. The community of risk and control professionals simply cannot keep up with the technology appetite, rate of change, and exploding threats affecting information systems. Organizations will need to change their overall approach to risk and controls for adopting cutting edge IT, or face becoming “road kill on the information superhighway.” Companies often, either willfully or ignorantly, underestimate the need and cost of doing business when it comes to IT, and, to use a cliché, implementing any IT, let alone cutting edge IT, without the appropriate and expedient attention to risk and controls is “a dog that just won’t hunt.” My personal experience at sticker shock for family disaster readiness has not diminished professional commitment: be ready to demonstrate due diligence to a standard of care appropriate for one’s business. This is a core message of this book.
There are many excellent publications focusing on the principles and techniques for security and controls for IT. ISACA® publishes a risk and control framework as the newly released COBIT 5® for governing and managing the investment in IT and this allows for any relevant standard, such as the ISO20000 and ISO27000 series, to be incorporated as appropriate for the enterprise. The purpose of this book is to offer perspective, strategies, and some techniques that will give IT and business management a jumpstart for success when faced with business drivers that demand cutting edge IT solutions. This book is a supplement to the many existing frameworks, standards, controls, and guidelines available today.
The inspiration for this text was born from a career of riding IT transformational waves, and of trying to avoid being the “spoiler” in those campaigns. As IT transitioned from mainframe to distributed computing, my program group in Boeing’s Research and Technology unit experimented with multiple computing models such as DCE, CORBA, and OSI. We worked to understand the proper technical constructs for protecting information systems that were rapidly moving from the established, well-understood monolithic model. In the early 1990s, a colleague at Boeing demonstrated the ability for unauthorized macro execution within a new product from Microsoft® called Excel®. Three years later, the Concept. A macro virus for Word® was discovered “in the wild.” A hypothetical security risk had just become reality. In 1995, the commercialization of the Internet, and the advent of the Mosaic browser from CERN, generated significant interest for what it could do for us, but the evaluation of what it could do to us was, again, difficult to put into words. It was very hard to have the discussion about potential things that could go wrong outside of the security profession. Budgets were not yet allocated to keep pace with the rate of change to security requirements and emerging threats that came with distributed computing and the Internet. The net effect of this decade of IT change and the embrace of new technology was that information security was grossly behind the power curve. The risk is that the gap will continue grow if we do not find a security and control paradigm that will keep up with the rate of change of technology.
The gap between opportunity and security that exploded between these two disruptive IT events is one that is yet to be closed. This gap has created business opportunity for those who have not played by “the rules” of polite society since the days of phone phreaking Captain Crunch. In 2009, the amount of malware contained in the trillions of e-mail messages sent increased by 900% over just the previous year. According to the Cisco 2009 Annual Security Report Global Adversary Resource Market Share (ARMS) Race Index, enterprise networks are experiencing persistent infections and consumer systems have significant infection levels and are capable of broad (but not sustained) high-level service abuse.
In the late 1990s, the Internet bubble created investment in global telecommunication infrastructure. The infrastructure laid during the Internet bubble was the equivalent of the ancient Roman road for IT in 2001, by the way it created new connections between remote end points. The interconnectedness of the world led to opportunities for global sourcing of IT services and infrastructure. Virtualization technology created the opportunity for multi-fold increase in IT infrastructure utilization. The stage was set for technology opportunities on a global scale.
According to Wikipedia, a “disruptive innovation is an innovation that helps create a new market and value network, and eventually goes on to disrupt an existing market and value network (over a few years or decades), displacing an earlier technology.” Distributed computing was a disruptive innovation. The Internet was a disruptive innovation. Recent examples might include, depending on one’s perspective, the Sony Walkman, Apple’s iPad, CDMA, the Internet, and the malicious code called “Stuxnet.” The day after these innovations were revealed, we knew things had dramatically changed and the potential for doing things, whether personal computing or information warfare, would never be what it was the day before. Disruptive innovations create opportunity for early adopters and can create liability for laggards. Not every disruptive innovation gets adopted – as they say, timing is everything.
Disruptive events create a context for the adoption of disruptive innovation. In a National Intelligence Commission report published on the basis of a global collaborative exercise, trends and events that will shape our future were identified (National Intelligence Council. Global Trends 2025: A Transformed World. US Government Printing Office: National Intelligence Council, 2008). These trends and events, and other publications like them, should be read with an eye to the implications of the technology world, and, in particular, to the drivers for the evolution of the threat landscape affecting the secure, controlled use of information-based technology systems. For example, based on past experience with Stuxnet and recent experience with the Flame malware, together with the prediction of increasing potential for conflict and nuclear escalation in the Middle East, one might reasonably imagine a future with increased cyber warfare techniques like those used in Stuxnet and Flame. This could have an effect on imbedded and specialized technology systems, perhaps even extended to back-office information systems, requiring an ever increasing vigilance on controls for prevention of mobile and malicious code. Innovation that would truly be effective at an end-to-end, cost-effective protection from mobile and malicious code within a Bring Your Own Device (BYOD) environment may find that it becomes “baseline” rather than “optional” in terms of IT policy.
Another example is the emergence of China, India, and other major developing countries to be the first to bring new emerging technology to market. Innovation in the Internet of Things (IoT), seen as a driver of new business models, business processes, and cost reductions, may very well come out of these developing countries, and it will be up to the security and control professionals worldwide to be in front of the adoption curve to understand the security and control implementation of IoT implementations at an architecture and engineering level.
Hopefully, this provides some insight and inspiration to thinking strategically about “cutting edge” information technology, emerging technology, and risk and control in the next decade. We will develop the way these insights can be incorporated into IT governance in the chapter on governance. Similarly, this text will focus on balanced business case analysis for cutting edge IT, evaluating risk strategically, and looking at the dynamic environment of legal and regulatory impacts. These are strategic concerns.
Strategy has to translate into action. Beyond the governance of cutting edge IT, it is necessary to examine ways to focus on management tools and techniques that will enable us to be secure, well-controlled cutting edge IT organizations. The control techniques and processes associated with managing service levels, third-party relationships, data management, business recovery and continuity, and audit must all adapt using consistent, recognized frameworks.
A complete discussion of information technology and disruptive events and innovation is outside the scope of this text. However, there are a handful of emerging technologies that will affect enterprise information systems and we will discuss the risk management of these further throughout the chapters of this book. These include:
- Internet of Things
- Mobile Computing
- Consumerization of IT
- Social Business
- Big Data
- Virtual Life “Alone Together”
- Cloud Computing.
Risk and control professionals are conducting their assessments and recommendations in a period of unprecedented change. This creates significant challenges for managing legal and regulatory compliance. Organizations may be in a position of establishing policy that exceeds local and federal statutory requirements on the basis of the enterprise’s reflection of its reputational capital on an ethical basis. This is driven by a rate of change, and company cultures that may either focus on compliance as the letter of the law, or the spirit of the law.
This impact of the rate of change is nowhere more evident than in the reporting and enforcement of breaches of personal information of customers and associates. As corporations made decisions (well governed or not) to move IT functionality to the Cloud, few were prepared to ask the necessary questions to ensure that personally identifiable information was truly protected in a manner commensurate with the potential pain incurred by individuals whose information may be disclosed to unauthorized parties. Checklists for security and controls focused on standard questions that should be asked, in part, and typically fail at understanding the weaknesses that may be peculiar to a certain implementation.
For example, one company whose business model was such that its compliance requirements fell outside the enforcement mechanisms of its particular industry requirements made a decision to outsource its HR (human resources) processes, including all HR database information, to a third party. All the necessary legal requirements for trans-border information flow were met, but key answers regarding the technical architecture of the third-party environment remained elusive. Eventually, as a result of a physical security audit undertaken in the foreign countries involved, the actual architecture of the third-party solution was finally understood. However, under the pressure of project timelines, by the time the inadequate controls at the third party were recognized, the entire HR database, including US, Asia Pacific, and EU citizens, had already been transferred. In the meantime, unauthorized data exchanges between parties via Gmail of sensitive information occurred as part of the drive to meet project schedules. The guidelines for disclosure of this fact to the parties whose information was shared did not trigger a disclosure event because the threshold conditions for disclosure were technically not met.
In this particular circumstance, it was very difficult for the enterprise to fully comprehend the implications of the outsourcing project they had undertaken, and once the full details were known, the project was stopped. By then, the HR database had been installed and striped across a RAID (redundant array of independent disks)that was a shared database environment with other tenants and would not be erasable to the standards the company had set for its own information management. No individuals would be notified of the potential for disclosure of their personal information.
This is a circumstance that is broadly shared in major corporations, but rarely recognized, and is directly a result of “rate of change of IT” and shortcuts in IT governance and risk management processes. Prevention is the best antidote, through governance, policy, and processes.
One might ask, “What then? If we are behind the power curve, and the rate of change is accelerating, what can one do about risk management, security, and control?” Being in the role of IT security, risk, and control these days is like being in the role of the spoiler – constantly under the pressure of delaying important projects or acquisitions while we try to figure out what controls should be in place. We are at risk of being the organization known for hindering progress and, indeed, sometimes we do. It can be different, however: using a control framework, with the right processes for evaluating risk and security exposure, is like putting great brakes on a hot race car. Brakes are not intended to make a race car go slow – they are intended for a race car to go very fast, and to do so safely. They are like putting up crash barriers along a twisty mountain highway – controls set the boundaries within which an IT organization can operate quickly, efficiently, and safely. This book outlines how fundamentals of IT security and control adapt well to game-changing technology, allowing IT organizations and enterprise leadership to invest confidently in IT while ensuring security and controls meet an appropriate standard of care, even in a rapidly changing threat environment.
Some of the approaches and techniques that will be explored in this text include:
- Build Once, Comply Many approach to controls;
- A holistic approach to cost modeling for IT technology to avoid surprises in IT implementations;
- An updated taxonomy for security goals and functional requirements;
- A view of emerging trends to watch for enterprise IT and considerations of controls;
- A governance, risk management, and compliance (GRC) approach to defining and demonstrating a “standard of care” for an agile and adaptable IT.
The control framework utilized for the basic approach for all governance and management controls of IT is COBIT 5®. It is possible to develop “build once, comply many” control strategies that will enable an enterprise to adapt to game-changing technology innovation based on the strategic governance and management processes in COBIT 5®, combined with some specific management processes found in the ISO27000 (Information Security Management) and ISO20000 series (IT Service Management). With the addition of AICPA/CICA Generally Accepted Privacy Principles, this set of frameworks and standards provide a full complement of governance, IT security, IT operations management, and privacy controls within an integrated, holistic approach. Organizations that find themselves needing to comply with a vast array of regulations, statutes, and industry requirements should find this framework adequate to answer all queries, and satisfy all audit and control requirements, although specific report formatting and control checklists may still be required to satisfy various organizations (such as the Payment Card Industry Data Security Standard). Once this comprehensive structure is drafted, it can be reviewed to ascertain that it meets the enterprise standard of care, and any new or developing legislative requirements affecting security, privacy, reporting and so forth can be inserted into the proper position in the framework. Other frameworks and requirements, such as the Cloud Security Controls Matrix, PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm–Leach–Bliley Act) can be mapped to this framework without material changes. This is a “build once, comply many” approach to control for cutting edge IT.
Recent changes to the COBIT® framework in version 5 describes IT on the basis of Principles and Processes in a Governance and Management framework. ISACA® is working on supplemental documents to support implementation of COBIT 5®. This text focuses on key principles and process areas as set forth in COBIT 5® and affiliated standards that are important for agility in adoption of cutting edge IT.
The COBIT 5® approach to value creation in IT are familiar based on the standards and guidelines already mentioned. At a high level, a build-once-comply-many framework for adaptive, value creation IT risk and control follows this outline:
Governance per COBIT 5®: Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions, and options; setting direction through prioritization and decision making; and monitoring performance, compliance, and progress against agreed-on direction and objectives (EDM).
This includes executive level processes such as:
- Ensure Governance Framework Setting and Maintenance
- Ensure Benefits Delivery
- Ensure Risk Optimization
- Ensure Resource Optimization
- Ensure Stakeholder Transparency.
These governance processes align with international standards for governance in ISO/IEC 38500.
Management per COBIT 5®: Management plans, builds, runs, and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
This includes multiple management level processes within each of the following categories:
- Align, Plan, and Organize
- Build, Acquire, and Implement
- Deliver, Service, and Support
- Monitor, Evaluate, and Assess.
At a high level, this is a holistic framework, based on processes that meet the generic criteria for process lifecycle management defined in the ISO/IEC 15504 series. What this means is that IT governance and management need to be defined and documented as a set of processes that will be subject to methodical continuous improvement. As business needs change, major technology shifts occur, or the threat environment shifts, the processes may be re-evaluated for updates. For the reader who is familiar with ISO9000 and management systems, this will make sense. IT management focuses on process and the continuous improvement of those processes, and has built in mechanisms for a coordinated, holistic, systemic response to changes affecting IT.
This holistic process-based approach is meant to be supplemented with activities and specific details, many of which may be provided through recommended implementation guidance in other internationally recognized standards, such as ISO/IEC 27001, ISO/IEC 20000, Information Technology Infrastructure Library (ITIL®), ISO22301, and Generally Accepted Privacy Principles (GAPP). In practice, we have found these to be the building blocks for defining a standard of care that meets the reasonableness test for security and control in IT whether it is existing IT or emerging IT.
All the COBIT 5® processes are meant to be used together – there are interdependencies from one process, or set of processes, to another. There are particular process areas that have been shown to have high priority in terms of ensuring that the integrity of information systems is sufficient to allow the systems, and the information they produce, to be trustworthy. This text is not a detailed discussion of COBIT 5®, but supplements the information in COBIT® based on practical experiences using the COBIT® frameworks, including discussion of :
- Governance - COBIT 5® integrates earlier publications like Val ITTM and Risk IT with the governance concepts in COBIT 4.1® to define governance practices and activities in alignment with international standard ISO/IEC 38500. IT value creation is influenced more at the governance level than any other process and the emphasis on good governance practice is evidenced in COBIT 5®. Key focus areas for good governance for an IT-enabled business facing decisions about cutting edge IT is the focus of the chapter on governance.
- Business case is an offshoot of governance, and provides some suggestions for implementation relating to ensuring benefits delivery, risk optimization, and resource optimization. It is also an excellent tool for promoting stakeholder transparency and evaluating technology risk by ensuring that the elements necessary for “full disclosure” in the cost model evaluation are included.
- Management processes that are critical to the successful adoption of cutting edge IT are: understanding the current environment and practice, defining target IT capabilities, understanding gaps, managing change, and managing assets.
This book encourages a holistic approach to IT processes utilizing a set of internationally recognized standards: ISO27001 (Information Security Management System), COBIT 5® (Control Objectives for IT), ISO20000 (Service Level Management for IT), ISO22301 (Business Continuity), and ISO38500 (Governance). Organizations already using these standards will appreciate utilizing existing control frameworks already in place with only minor modifications to support new computing paradigms and compliance requirements.
Chapter 1: Cutting Edge IT provides an overview of emerging technologies and their implications for security and control in business and IT.
Chapter 2: Governance presents the concept of IT value (corresponding to Val IT™) in the context of Cloud Computing. Investment in emerging technology is a significant move for any business, and this section covers methods for evaluation of that investment to ensure potential benefits and risks are understood based on COBIT 5® Governance domain.
Chapter 3: Legislative and Regulatory Compliance Concern is an overview of major compliance considerations for all emerging technologies and suggestions for a build-once-comply-many compliance strategy.
Chapter 4: Getting the Business Case Right delves into the business case using examples for Cloud Computing. It examines a cost model and steps to ensure that the elements necessary for “full disclosure” in the cost model evaluation are included.
Chapter 5: Service Level Management in the Cloud is a summary of existing standards to be used within the context of COBIT 5® to enhance processes for all aspects of service management and service delivery.
Chapter 6: Security and Control Approach presents a security taxonomy and recommendations for a baseline security approach within the context of COBIT 5®.
Chapter 7: Data Management. When emerging technologies are adopted as part of business strategy, where does the data reside? This section discusses data management concepts including a focus on understanding “data flow” for security and data retention/discovery purposes. The chapter discusses data storage, recoverability, and ownership as it is impacted in the Cloud and provides a framework for lifecycle data management, including data migration and “retirement.”
Chapter 8: Business Continuity and Recovery covers planning for business interruption when using Cloud Computing, and planning for incident handling.
Chapter 9: Secure IT-Enabled Organizations describes key success factors from our experience of various organizations that have fused solid IT controls into the way they do business.