ATKINS: How do you justify the investments required in your business cases for security when there’s no measurable direct return?
WESTCOTT: How do you find money for security? To me, the answer lies in education. You have to involve your executives in the development of the security policies, etc. We have an executive meeting once a month at Mercedes-Benz, and one of the topics for next month’s meeting is going to be security – what does it really mean and so forth. It’s like any other project. You’ve got to come up with a cost justification, and you’ve got to tell people why they need to understand the benefits.
SINGLETON: In addition to being Provincial Auditor for the Province of Manitoba, I’m also a board member of the IT Governance Institute, an international organization that encourages boards of directors to get more interested in IT issues. We think that a serious marketing job has to be done to convince boards of the importance of IT for their organization, and that can be done in two ways. One is in managing their risks around IT. The other is in helping them understand how IT is an important and integral part of obtaining business value – and IT security is clearly a part of that. Over and above risk avoidance, having strong IT security can be a good marketing tool when you’re dealing with vendors and customers. And being a leader of the pack in this area can often be a way to encourage more business to come to you.
ELKAIM: In order to obtain funds in this area, it’s about articulating the perceived risk – and that’s not an easy one. Sometimes, quite frankly, it’s reactive. Something has happened and some aspect of security wasn’t in place. Therefore, you now have a clear understanding of what the cost is and you can articulate the benefits. When we try to take a proactive approach, then the value has to be in being able to do more with less – hopefully, the value that is gained will not strictly be around security.
PARENT: At the Canadian Payments Association, we do an analysis of the threats and the risks. After this, there are three options: First you can offload some of the risk by insuring it. Second, you can reduce the risk. To do this, you have to put forward a business case, and sometimes they’re hard to put together. The way that we’ve been doing it is to try to show the cost of the loss of the data.
If the data was lost, then the business couldn’t continue; it could lose customers, strategic partners, and so on. We try to put a cost on that. Obviously you have to show the executives that the money you will be spending on security is worth it. If not, there is the third option: accept the risk.
ATKINS: How do you manage the competing demands of delivering more and more access to information to new people, new locations and new devices, versus managing secure access to that same information?
SEARS: It’s important that you have a security policy in place, because studies have shown that 70 to 80 percent of the security risk for an organization comes from internal staff. So it’s important that you make sure people are aware of what their responsibility is because if you don’t, they can always plead ignorance and say they weren’t aware that this was happening. There’s also a struggle around evaluating the information risk. GlaxoSmithKline’s approach is to have, by default, a minimum risk – that is, a minimum level of security that exists for everyone – and only if there’s a specific requirement in place around a specific application do we then put additional levels of security on top of that.
WILSON: Ten years ago we would have just built a secure wall around the organization. But the world has changed in the last few years. We’ve broken that wall by implementing such things as extranets, E-commerce and VPNs. Now each new form of technology that we adopt has to have a security process put in place, because each is a different solution requiring its own level of security to ensure that you can maintain control over access to information. So the one set of standards that we used to have is no longer acceptable. The IT environment has gotten much more complex now and the number of different technology standards, access requirements and security procedures has gotten much more complex. Reality is that this rate of change resulting from the adoption of new technology will likely never slow down.
ELKAIM: Roots is a growing organization and we have people starting all the time, so from my perspective it’s about process and standards. You have to have a process surrounding how you identify which individuals will have access to what information. And there should be a standard set in terms of how people access that information. We’re very good about getting people onto the system. But securing yourself when they leave can be where you fall down. You have to have processes in place around that as well.
ATKINS: Two common ways of checking the security of your systems are security audits and penetration tests. How often and under what conditions do you do them, and who conducts them?
D’AURAY: There are a lot of layers in the security audits that are done by an organization such as the Government of Canada. There is the regular checking that most departments and agencies do with their own systems and then we undertake audits of the main network that connects all the departments and agencies. Verifications and/or audits are done internally as well as externally, and we also have some centres of expertise we can rely on, such as the RCMP and the Communications Security Establishment. Regarding penetration tests, departments will do a range of things. We have experts in a number of government institutions and agencies, who do that on a regular basis for critical systems. We also do vulnerability tests – looking at a number of vulnerabilities throughout our entire procedures. And we find that the periodic spot check is also almost as important as the full blown audit.
WILSON: The security audit is something we’ve been doing on an annual basis. The issue that we are struggling with is penetration testing. To do penetration testing properly, you need to use an outside organization that has the same kind of tools that hackers utilize. You also need to recognize that each test will cost in the order of ten thousand dollars. As most companies now use industry standard products and standard operating platforms, it means that whenever a new hole is discovered in one of these standard products, we are all instantly exposed. The problem is that penetration tests are only valid for the moment the test is completed. A month after you’ve spent the money to do the test, there may be new holes discovered in the industry standard products. So how often do you do these tests? We need to find some new ideas as to how we improve our level of security, recognizing there is a limit as to how much funding is available.
WESTCOTT: John and I are suffering from a similar quandary. We’ve used external organizations to perform penetration tests, but you only need to change a piece of equipment or software and all the good work you’ve done is history. So recently we have supplemented that external penetration checking with, essentially, a piece of software. It’s run in an ASP environment where you license it by the number of IP addresses you want to check. You run it yourself and the software provides you the results and ana-lysis. The company also offers all sorts of other services, but we’re taking it at a fairly basic level. We’re licensing it for the year at the lowest possible rate, and we’ll run it whenever we change anything. We’re still probably going to do a reality check, perhaps once a year or if there is a major change, but other than that we will be doing it whenever there is any change to something that is facing outside the company.
PARENT: We do security audits yearly. They’re performed by an accounting firm and they look at security controls and procedures. Basically, they look at how we apply our policy; do we have the right control regarding employees, do we have the right procedures in place, do we follow them, are we reporting to the right channels and so on. That report is submitted to our members as well as to the Bank of Canada. In terms of penetration tests, post-911 we’ve definitely been talking more about that. We are confident that our system is very well secured but we are nonetheless in the early stages of arranging for some carefully organized penetration testing.
ATKINS: How do you go about setting standards across your enterprise for information protection and unauthorized access, and how do you keep those standards iterative?
SEARS: We’ve always had standards in place and, with the help of recommendations from the auditors, we review them on an ongoing basis and make sure they are as current as possible. We also make sure that the importance of following these standards is communicated to the organization on a regular basis. Recently, there was a recommendation from senior management around the need to have the right awareness of information risk throughout the organization. We’ve given our inhouse legal department the responsibility for making sure that we are compliant. There is now an individual whose job it is to review the information that exists throughout the organization and do an assessment and report on it, as well as make recommendations in terms of what changes have to be made. This gives us the opportunity to elevate the importance of the need to have control of this data – something that in the past has been a challenge.
WILSON: In order to effectively control access to information across the enterprise, it is necessary to set corporate standards that specify who can connect to the data network and who has access to business applications and other information access tools. The most challenging aspect for Corporate IT is the enforcement of these corporate standards across the organization’s various companies and divisions. By implementing a corporate wide data network, which is managed by the Corporate IT Group, companies have the means by which corporate standards can be set, implemented and enforced across the enterprise. As new technology is introduced, enhancements to the corporate standards will have to be made to ensure the existing IT security infrastructure is not compromised.
D’AURAY: We have just finished updating the Government Security Policy, which sets out fairly high level principles, and we’re now in the throes of updating the IT security standards that implement the policy. It’s not easy, because we have tended to think of standards development as being pretty well static, and we’re finding that this is an iterative process. We think we have to look at some of the basic principles and approaches to risk management and then look at what are the minimum and maximum levels of standards for interconnection, because we’re very much in a networked environment and we are increasingly outward or client facing. The weakest link will be the most damaging, so we have to look at the points of interconnection.
WESTCOTT: We’ve experienced a lot of growth and I don’t think we’ve really had any good formal standards until a short while ago. We’re now in the process of rolling them out. We decided not to try to reinvent the wheel here. We went to the SANS Institute and essentially we’ve taken their standards, which they provide free on their Web site, and we’ve tried to make them fit our organization. We felt there was a body of experts around those standards, and there was no reason why we shouldn’t take advantage of what they’ve done. There’s some pretty straightforward stuff that you can get out of there that you might never have thought of yourself. So that’s how we’ve started. But the process won’t stand still, and our intent is that we will review the policy on a quarterly basis to ensure that it is satisfying our needs.
ATKINS: How do you screen employees to ensure that your own people don’t compromise your information – not just IT people but employees across your enterprise? What business processes do you have in place to protect your enterprise I & IT from current and former employees?
ELKAIM: There’s a certain amount of trust that has to be earned and established between you and your IT team. It’s an ongoing exercise. The way I approach it is by treating my people professionally – we don’t punch clocks. There is a certain degree of trust that these employees get from the outset because that’s just the nature of the IT area. Once they’re on board you have to have a certain amount of trust in them, and over time that trust is reinforced and you can release more and more systems or areas to them. As for exiting individuals who leave of their own accord, we have a hook to our payroll department that tells us weekly who has exited, and then we disconnect them. If there’s a dismissal, that’s handled very differently. We have tightened up the exit process significantly. When someone leaves the IT area, you really have to know how to close it up and prevent them from getting back in – so that’s been our focus.
PARENT: We tend to segregate different types of duties, from production to development. We restrict physical access on the premises and we have a buddy system in terms of specific duties relating to security. For example, we have two public key infrastructures, and when some of the master keys are reset, three people out of five who have these keys must be present. We also make sure that the people that are working on high-level security have security clearance. In terms of a disgruntled employee that has been dismissed, we walk the person out and we have a whole list of procedures and policies that we follow to make sure that we revoke passwords and so forth. When someone resigns, we have the flexibility of walking that employee out right away, on good terms, and saying “you’re working in a very critical area and this is our policy”. It’s a very touchy area. There’s no magic solution and you have to modify your procedures as you implement new systems.
SINGLETON: One of the things auditors can add is something I call the sentinel effect. In a recent high-profile investigation in Manitoba, we had a technical person clone all the hard drives at the organization we were investigating. One of the messages from this incident that we tried to communicate was that people should think about what’s on their computer. We want them to imagine the Provincial Auditor knocking at the door one day and saying, “I’d like to clone your hard drive and look at its contents.” I think that would get a lot of people thinking about what they’ve got on there. One of the things we’re doing now is looking at employees’ PCs for unauthorized software. It’s not so much that we want to find specific breaches of policy or licencing infringements, it’s that we want to get the message out that somebody is looking. I think this is important, even in the private sector. We have to communicate to everyone that audits are being done and the kinds of things we’re finding. It’s another opportunity to remind people of the importance of security.
ATKINS: What investments does your enterprise make in education specifically to enable your IT employees, management employees and general employee population to deal effectively with privacy and security?
SEARS: We spend as much as is needed. If we felt that there was a need to make any more investment in this type of education, we certainly would. We do things like ‘lunch and learns’, and keeping people aware of what they should be doing, on a regular basis. We use our intranet to communicate new information to employees. With respect to privacy, when the new legislation was enacted we made some major investments to raise awareness. We brought in someone familiar with the legislation and its implications and we had everyone in the organization meet with this individual to understand their
responsibilities.
D’AURAY: There are a great many legislative and regulatory issues around privacy and we spend a fair amount of time on education and awareness of our employees in this regard, primarily because quite a number of them have access to some very sensitive information. We also have external oversight from the Privacy Commissioner, who has the power to investigate and respond to complaints, so there’s a fairly high awareness of the issues. On the security front, it’s probably more mixed. It’s a large enterprise and some departments or agencies are better and more rigorous at the ongoing training and education than others. Some departments will have more sensitivity to privacy issues because of the data they hold and the connections and interaction they have with citizens.
SINGLETON: My sense is that across the public sectors in Canada, because of the fiscal constraints that have been in place, training and development has been particularly hard hit. Training has been one of the areas that tends to be seen as easier to squeeze than some direct-service areas, and as a result is not being invested in to the level that it should. I would say that’s even more so around security issues – there isn’t enough time and money invested in educating employees about security. We are benefiting, as we’ve seen in Manitoba, from Y2K, in that it has caused us to adopt in an enterprise-wide accounting system and a desktop management system where there are new central bodies that have a mandate to think about security issues. But they’re still challenged to find ways to get the IT security message out in ways that they need to.
ATKINS: What are the top one or two security or privacy issues within your enterprise and what advice would you offer to IT executives reading this article?
WESTCOTT: The number one security issue is that people need to understand this is more of an internal problem than an external problem – that it’s not just an IT issue. We [IT] may be a large part of the solution, but we’re not necessarily a large part of the problem. It’s a company-wide issue and it needs to be sponsored by your most senior management. There needs to be an understanding that it’s a real issue, and there has to be education around it. From a privacy perspective, again it comes down to education. I can only recommend that organizations read the legislation, ensure that they understand it, and ensure that they live with-
in it.
PARENT: Protecting the organization from internal threats is important but I believe protecting it from external threats is equally important. We have to look at both sides of the fence. But before going with a fortress approach, we need to look at the risks and the threats. We should look at the risks from a technical perspective and from a business perspective, and we should assess these risks and develop a solution that is acceptable, whether it’s reducing the risk or accepting it.
SEARS: One of the key issues with respect to security is around wireless technology. There is a growing interest in wireless and we need to make sure that it is properly secured. That’s also true of the Internet. Before people will truly embrace that technology to the degree and the growth rates that have been stated, they’ve got to have a level of confidence that the information they’re providing over the Internet is secure. In terms of advice, I would say that you need to have a policy in place, and you have to make sure that people are aware of it and that it’s being followed.
WILSON: I believe that with each new piece of technology that we implement, be it wireless, the Internet or different forms of VPN, we have to make sure that we’ve first developed ways to effectively control these technologies. We should be selecting new technologies based on their security capabilities as well as their operational capabilities. If the necessary security capabilities aren’t there, then don’t implement the technology and try to fix the security issues later. My advice to CIOs is to avoid looking at security in a piecemeal fashion. You should step back and take an enterprise view and put together a security strategy from the point of view of controls, architecture and monitoring that looks at the whole enterprise and not at a series of individual components.
SINGLETON: One key issue would be the need to focus on the people, time, money and effort that’s required to address security issues. I would recommend that CIOs think about how they can begin a dialogue in their organization about IT governance, how IT governance can fit into enterprise-wide governance, and that includes, of course, the security considerations. This means we need to think about how to foster a two-way communication between the board of directors, executive management and IT management, where each is speaking in language that everyone understands. In this way, IT security, and IT issues in general, can become part of adding value to the corporation, supporting the achievement of mission goals and also protecting the organization from threats and risks.
D’AURAY: Security requires a good governance approach. For many of us, this is an issue of how we manage – how we integrate, from a business as well as from an IT perspective. And I think how we do the integration of both of those is really key. On many fronts, we’re really dealing with risk management because we will not be able to deal with and handle everything. So you have to have a good understanding of what your primary risks are. You have to have a good risk management approach and an evolutionary one, because iteration is key in this environment. In terms of advice, there are some very useful tools out there and a lot of good independent organizations that can help you, both on the standards side as well as in terms of awareness and protection. Federally, we’ve created the Office of Critical Information Protection and Emergency Preparedness. It produces alerts on a regular basis, and you can subscribe online to that very easily.
ELKAIM: It’s very important for IT management, business management and the board of directors to be directly involved in the security discussion. Disaster recovery is well understood by those groups because we all went through Y2K and that put disaster in the front of everyone’s mind. I think there’s still work to be done in the area of understanding security issues. So it’s about education and awareness. The issues have to be put in terms that people can understand them, and we’re still deficient at this. I think it needs to start with the IT organization.
David Carey is managing editor of CIO Canada. He is based in Toronto.
