14 April 2005

Enterprise Security Risk Management (ESRM)

The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting information security issues:

1. Is your security policy enforced fairly, consistently and legally across the enterprise.

2. Would our employees, contractors and partners know if a security violation was being committed?

3. Would they know what to do about it if they did recognize a security violation?

In today’s wired world, threats to the information infrastructure of a company or government agency are not static, one time events. With new viruses, vulnerabilities, and digital attack tools widely available for download, a “complete information security solution” in place today can easily become incomplete tomorrow. As a result, a security architecture solution must be flexible, and dynamic.

Presently, news of digital-threat events tends to spread through the computer security world in a “grapevine” manner. Threat information is obtained from websites, e-mail listservs and countless other informal sources. This haphazard system is incomplete, and therefore raises concern when evaluating the damaging, costly effects of an aggressive, systematic digital attack.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles. To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape. Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs. Awareness and the ability to make informed decisions are critical.

In short, as the electronic economy plays an increasing role in the private and public sectors, organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity. Realizing these gains depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors. This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business disruption). Furthermore, the cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on integrated systems.

Highlights of the 2004 Computer Crime and Security Survey include the following:

-- Overall financial losses totaled from 494 survey respondents were $141,496,560. This is down significantly from 530 respondents reporting $201,797,340 last year.

In a shift from previous years, the most expensive computer crime was denial of service. Theft of intellectual property, the prior leading category, was the second most expensive last year.

Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security.

How is an organization going to quickly and effectively address what we call ESRM? If you go to "Google" and query "Enterprise Security Risk Management", you'll find one company at the top of the list and for good reason.

The Consul W7 Methodology is on the right track with an approach to ESRM that is gaining traction in the market place.

The W7 Methodology
Security data (logs, syslogs, SNMPs, NetBios, etc.) from the entire enterprise are consolidated and normalized through Consul's patent-pending W7 methodology whereby Who, did What, When, Where, Where from, Where to and on What is determined based on deep knowledge of the operating system matched to the information in security alerts and log files. Through best-practice and customizable policy templates, only the essential events are processed to provide urgent, relevant and actionable information. The W7 methodology underpins the way InSight normalizes and correlates the data and is the language spoken by the Policy Generator to filter out the relevant data.

Today, ISO17799 is one of the most widely recognized information security standards in the world. ISO17799 defines a management structure and process within the organization that allows it to

* Identify genuine risks to the organization’s computing environment
* Establish a level of risk tolerance
* Select appropriate control measure to mitigate risk
* Manage incidents, events, and security breaches, and
* Manage risk in a constantly changing environment

The ISO17799 standard is appropriate for a wide variety of organizations. The standards are written in an open framework that could be applied as easily to a bank as to a hospital, university, e-retailer, non-profit charitable organization, or government.

Consul InSight™ enables ISO17799 compliance by monitoring “who” touches “what” information, monitoring security events and archiving all relevant log information. In this module, the best-practice recommendations of ISO17799 are embedded into the reports, policy and classification templates to facilitate compliance.

The ISO17799 Compliance Management Module Comes complete with an:

* ISO17799 Compliance Dashboard
* ISO17799 Report Center
* ISO17799 Policy Template
* ISO17799 Classification Template
* ISO17799 Resource Center

Your goal is to provide the organization with the following Information Security value propositions:

1. A System with Best Practices to Establish, Implement and Monitor Compliance

2. Early Warning & Awareness for the Entire Enterprise

3. Relevant Decision Support

4. Trusted Threat Information/Analysis

5. Actionable Threat Countermeasures

And remember, a Single Enterprise Security Risk Management System will not solve the operational risk problem without the right processes and the people to implement such a solution.

No comments:

Post a Comment