"People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.
ROLES & APPROACH
In order to create a secure operations environment, an organization needs to build its structure and staff it in line with the proper approach to the human factor in Information Security.
Failing to do so usually results in lack of direction, misplaced responsibility and ultimately, operational disruptions.
THE TOP-DOWN APPROACH - Information Security is never built from the bottom up. Do not assume that everyone in the organization is tuned-in to what (and how) needs to be done regarding Information Security. The major roles are usually defined as:
Senior Management - creates information security program and ensures proper and adequate staffing and funding and has organizational priority. It is responsible for ensuring organizational assets are protected.
Data Owner (AKA information owner or business owner) - a management employee responsible for ensuring the protection of specific data. Data classification, sensitivity labels and the frequency of data backup is determined by this role.
Custodian - a role responsible for actual protection of assets, performing tasks such as data backups and restoration, patch systems, etc., under detailed orders - Custodians do not make critical decisions on how data is protected.
User - the largest in number, yet major information security role. Users follow rules. For Users it is mandatory to comply with policies, procedures, standards, etc. Working to raise awareness you can tell people how to do the right things at times when their behavior can make a difference for the security of the company.
ADMINISTRATIVE PERSONELL CONTROLS
These are fundamental operational security concepts which should be observed when organizing and structuring the staff of a company. These concepts are important, because they do not only deal with personnel, but permeate through multiple Information Security domains:
- Least Privilege (AKA Minimum Necessary Access) - dictates that all persons' access is strictly bound to the minimum access required so they can perform their duties. This is the one, single, most important principle that administrative security controls revolve around.
- Need to know - even if a member of staff is officially granted (i.e. has security clearance, for example) access to certain data, they are not provided access to that information, unless they have a specific need to know; so that, access to the information must be required for the execution of their duties.
- Split-knowledge - a process in which certain portions of data have a split access over multiple people, individually sharing no knowledge of the data in its entirety. Thus data can be subsequently input into, or output from, by the separate people to the extent they access to and can be combined to recreate the data in its entirety only by a person with access that would allow such actions.
- Separation of duties - prescribes that multiple people are required to complete critical or sensitive transactions. The goal of separation of duties is to ensure that in order for someone to be able to abuse access to sensitive data or transactions, that person must convince another party to act in concert.
- Rotation of duties/job rotation - a process in which staff members are required to perform the same duties interchangeably on a rotation schedule. By doing so, the company is more protected due to having varying people perform and review the work of their peers, who did the same job in the previous rotation. Rotation of duties helps mitigate collusion, where two or more people are in alliance to subvert the security of a system.
- Mandatory leave/forced vacation - an additional operational control, closely related to rotation of duties, with the primary security considerations being similar: reducing or detecting personnel single points of failure and the detection and deterrence of fraud. Forcing all employees to take leave can identify areas where depth of coverage is lacking or can help reveal fraudulent or suspicious behavior.
While the diagram above provides a generic structure to illustrate how Information Security and Internal Audit are related both functionally and in terms of subordination and dependency, it is not to be applied blindly. When building one's own structure, one should take into account the nature of the organization's business, it's existing structure as well as resource considerations. The Information Security Manager, usually referred to as the Chief Information Security Officer (CISO) and their unit play a distinct role, which should not be confused with that of the Audit Committee (AKA The Internal Audit and Control Unit) as is further detailed below.
The Chief Information Security Officer (CISO) is the highest-ranking executive responsible for the establishment and maintaining the fundamental business concept, the company's strategy and programs to ensure assets and information technology appropriately protected.
The CISO directs staff in the identification, development, implementation and maintenance of processes across the organization to reduce the information and information technology (IT) risks.
The CISO, and their staff, respond to incidents, establish appropriate standards and controls, manage security technologies, and guide the development and implementation of policies and procedures.
The CISO is also usually responsible for compliance related to company information.
The Internal Audit & Control Unit
The Internal Audit & Control Unit holds an inextricably independent function. Otherwise, it can become dysfunctional with sub-standard performance. There are many degrees in the level of independence and effectiveness, so a clear understanding of the business needs and circumstances is required.
The unit's function is to provide a third level of control in the organization, which should be independent of the control of the first level - that of the top management of the company and of other units, such as legal, human resources, financial control, etc.
The unit establishes appropriate policies and procedures to guide the internal audit function, and ensure the quality of the assurance services delivered - all aligned and are consistent with the company's objectives and governance policies.
REMEMBER: It is important that safety issues are discussed at the highest level of the company's management as the negative impact of business security issues and non-compliance with security policies can be devastating.
TALK TO US
It is not always easy to know how and with whom to man the role of the CISO, or how to build your Internal Audit & Control Unit. We can help with the identification and development of these roles.
We can also help with the proper separation of duties and functions between the two, so that one man cannot bring about the ruin of the entire organization, for example.
In case you already have established the CISO and the Internal Audit & Control Unit in your organization, but are wondering or have evidence they're not functioning on par with expectations, you may want to talk to us.
We will help establish whether these existing roles are properly manned and functioning already in your company.