By Danny Bradbury
2 July 2007
Handling compliance and risk have become inescapable elements of the
modern CIO's role as they strive to ensure the business can forge ahead
while not exposing areas of weakness or potential liability. Danny
Bradbury explains the dilemma...
Compliance can be a daunting word for IT managers. Ultimately, it's
about managing risk exposure at a broad level. So what can IT directors
do to satisfy the rest of the board, especially given that regulations
are mostly vague, principle-based affairs?
Be thankful for vague rules.
The few regulations that meddle with operational specifics aren't
generally helpful security guides, argues Michael Barrett, chief
information security officer at PayPal.
For example, the industry-enforced PCI-DSS standard for credit card
payment handlers specifies conditions such as the application and
configuration of personal firewalls. Barrett dislikes personal firewalls
because uneducated users often make the wrong decisions when told that
'application nettaxi.exe is trying to access outbound port 142'.
"Many organisations choose to simply not use them," says Barrett. "So
then the auditors put you through this huge wringer."
PayPal got onto the board of the PCI advisory council to address issues
such as these.
Even the more principle-based rules can cause problems because they
often aren't harmonised, says Stuart Okin, UK lead for security at
Accenture. They can become contradictory, especially when spread across
different regions. Cut out the noise, says Okin: "Decide what the most
important thing is that youre going to protect, and then decide what
architecture youre going to supply."
Those parameters have to be defined at a strategic and tactical level
before you start buying point solutions to shore up your infrastructure.
Technology isn't the starting point, explains John Pironti, a member of
the education board for the Information Systems Audit and Control
Association and chief risk strategist at IT services firm Getronics.
"The first step is to perform a threat and vulnerability analysis on the
organisations information infrastructure - all of the processes,
procedures, standards, people and technologies that support the use,
transport and storage of data and information," he says. After this you
can get to the vulnerability management plan.
PayPal, which is heavily regulated by the banking industry, starts with
this vulnerability analysis across the whole firm before drilling down
to do the same with the IT department, says Barrett. On his enterprise
risk 'heat map', he always finds that IT ends up as a risky area.
"We then drill down into that particular information security area using
whatever standards there are as a framework. We use ISO 17799 and ISO
27001 at this layer to help govern our managed security programme," he
ISO 17799 (expected to be renamed ISO 27002 this year) provides a set of
best practices for security, in areas including compliance. ISO 27001 is
a certification standard to ensure that theyve got it right.
"No-one ever gets 100 per cent scores on those things, because if you
did you're probably overinvesting in the area," he warns. "It's about
getting the risk into an acceptable tolerance but not spending more than
you need to." That process involves matching the value of the data at
risk to the amount youre spending on protecting it.
But how does all that influence operational procedures? Encryption is
proving a popular technology to protect data, says Pironti, adding that
companies are deploying it for volatile environments where controls
aren't easily available (such as mobile data). This probably would have
saved the Nationwide Building Society the fine of almost a million
pounds that it had to pay when a laptop containing unencrypted data was
stolen from an employee's home.
But the other way to tighten up security controls is to refine your
overall IT practice using service and management strategies like ITIL
and CoBIT, says Pironti. These frameworks help to govern basic practices
such as patch management, for example.
Even if such schemes aren't rigidly applied, a better understanding of
IT processes has become important to security.
Accenture's Okin says: "Three or four years ago, people wouldn't
understand simple stuff around patch management. That's changed, so that
most of our clients have a strong handle on applying risk methodology
and understanding when they're going to patch."
But when considering risk, IT management practices such as these are
basic table stakes.
Clive Longbottom, analyst at Quocirca, argues that risk management is no
longer simply about locking down system resources. Security for
compliance purposes has to be considered in the wider corporate context
of roles and relationships (not least because when considering broader
enterprise risk, youre looking at internal controls that focus around
people, rather than nodes on the network).
"It's then better linkable into organisational structure and process,"
says Longbottom. "You have the role and responsibilities of the person,
and what theyre doing at any one time. Once you bring those vectors
together, you have that binary of 'yes, you can do this' or 'no, you
For example, a marketing person might only need to see a subset of
files, and might only be allowed to view them while theyre in the
office. The CEO might need to view all of them, and may be allowed
access from his laptop at home, but even he might not be allowed to
access them from a public wi-fi hotspot.
Mapping privileges to people in this way also makes it easier to
introduce a fundamental risk management concept into the IT practice:
"This is the enhancement of adding identity and logging capabilities to
all processes which touch sensitive data," says Pironti. "This gives an
organisation a credible view of who touched data and what they did. It's
a passive control, but it allows organisations to perform more effective
root cause analysis in the case of an information security event or
The technology behind these basic operations - which email archiving,
activity logging and configuration management products you use - are
less interesting and challenging considerations than the altered working
practice that they're going to support. Pushing accountability
throughout an organisation requires a major cultural change that goes
beyond the installation of an Active Directory database and a single
sign-on system. It brings into play challenges such as enforcing best
security practice at an individual level, perhaps by tying it to
performance reviews, for example. These are issues that Barrett says
even PayPal hasnt fully tackled yet.
Making those decisions highlights a popular misconception about IT risk
management. You never stamp out risks. They always exist, and boards are
paid to take them. How much risk you take when complying with
interpretive regulations is something that the IT department must work
through with the board. Doing that requires that you speak the boards
language. Handling that translation may be the hardest job of all.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com