Looking for Information Security Control in a Global Business Climate

Mike Jerbic details efforts by The Open Group Security Forum to help further develop secure information architecture standards

In 1891, Professor Fredrich Wieser wrote in his Theory of Value, "The idea of the importance of property only originates in scarcity. " Applying this principle to computer and information security resonates as well, because computing resources are abundant — so much so that considering them as property is unimportant. I would challenge any IT manager to name even a quarter of their existing computer resource inventory, even with the help of so-called reporting tools. On the other hand, information access, integrity and use, is considered high-value business property with proprietary value. After all, information service providers can charge high premiums for their services to provide and maintain "asymmetric" differences in information access, creation and availability. For some enterprises competing in the information age, keeping information scarce is their only business advantage — the one thing worth preserving.

The key security problem CSOs face today is securing property rights in their organizations' information — while still supporting business in a global, shared services-oriented economy. CSOs are faced with a new objective: information-centric security beyond the enterprise.

Using the global information infrastructure increasingly requires that the private and public sectors, and consumers, each assume a spectrum of new risks. At the same time many managers of these risks don't fully understand them; and the power of individual IT systems users (through negligent or malicious misuses of systems by employees, contractors, etc.) to do great harm with the abundant commodity technology is rapidly growing. In response to this concern, industry and public interest groups, policy makers, regulators and others are developing new standards and regulations that place controls on the security management of information systems and their information.

The Open Group Security Forum and the American Bar Association's Cyberspace Law Committee of the Business Law section recently collaborated on a white paper called "Information Security Strategy: A Framework for Information-Centric Security Governance." The purpose of this collaboration was to present an approach to achieving this new objective within an acceptable risk management envelope and to initiate projects within The Open Group that will help all of us govern information asset security more effectively. The paper presents a framework to manage information-centric security both within and between enterprises sharing information, focusing on the key elements of any governance structure:

The Stakeholders: Who are the key players and what are their functions and roles? The paper identifies six critical stakeholders: Business management; Legal; Audit; Controls and Compliance; Business Process; and Information Technology. Each of these key players possesses their own dedicated roles and responsibilities. Business management has a business to run. The legal team has the responsibility (among others) to develop opinions on whether the organization is compliant to legal or regulatory requirements. Too often technical people or auditors may be making these assessments, but in the United States at least, any determination of compliance to a legal standard is part of the practice of law. The Controls and Compliance organization establishes internal policy and enforces compliance to internal (not legal) standards. Auditors measure the extent to which the organization performs to the policy requirements. Business process people define and implement how the business will work functionally, and the IT organization architects, designs, implements, and maintains the information technology components of the processes.

The Objectives: Information-centric security has a primary objective: to control information as if it were property. Previously, The Open Group Security Forum and the American Bar Association collaborated on another paper titled "Framework for Control over Electronic Chattel Paper—Compliance with UCC § 9-105 " that articulated the principles of establishing control of electronic transferable assets, or electronic property, compliant to the Uniform Commercial Code. UCC § 9-105 essentially enforced the same "control" over transferable electronic assets (chattel paper) that exists with the possession of tangible, physical chattel paper. This research developed a model of control, with its necessary components, that is now extended to the general case of establishing and maintaining control (the equivalent of possession of real-world assets) of the intangible information asset. Today's security objective is to maintain control over information both inside and outside the enterprise. Control establishes the equivalence of possession, which in turn supports the importance of treating information as property.

The Process: Using the objective of control, the stake-holding participants must establish and enforce a process resembling policy compliance to establish control of information both inside and between enterprises. Within the enterprise, corporate policy is the governing objective against which business process, information technology, risk management and regulatory compliance objectives are resolved. Between enterprises, such as service providers and service consumers, objectives are specified in service level agreements or other contracts and verified through auditable performance measures.

Delivering information securely will require increased emphasis on enterprise architecture and effective communication among the diverse stakeholder community. Today, security is considered a non-functional property of the IT system, similar to quality, manageability, and usability. As a result, it is harder to measure and discuss security unambiguously. However, it is through security and its impact upon enterprise architecture that control over information, both inside and outside the enterprise, is established.

Non-functional properties, such as quality and security, tend to be processes that resemble negotiations which resolve conflict between competing interests. In this manner the continuing dialogue, debate, conflict resolution, lessons learned and improvement is often more important than an arrival at any final destination. C-level security practitioners must become adept at leading organizational stakeholders through this journey.

The Open Group Security Forum, as a leading consortium representing the value that sound enterprise security architecture contributes toward delivery of effective information security solutions, wants to facilitate and encourage development of tools, methods and open standards needed to improve security architecture methodology and essential practices. These will enable the security architect to contribute most effectively to the community of excellence that the governance team represents, to take information-centric security from an "as-is-now" to a "where-we-want-to-be" state. Other key areas of interest relevant to the industry include:- Information Risk Analysis. Stakeholders throughout the enterprise are challenged with complying with information security regulations. Most of these regulations, such as Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) , specify a "risk based" security program. Standards for what a risk-based security program are, however, are not well developed. The Open Group Security Forum is working on a project to develop an information risk assessment framework with an initial proposal being FAIR, or Factor Analysis for Information Risk.- The diverse stakeholder community requires visibility into the information risk and security posture. Enterprise architecture today is primarily centered at business management and technical interests, but this must change to include corporate legal, audit, risk, and compliance interests. Architectural viewpoints, and ways of visualizing security properties that these interest groups can comprehend, are essential to the enterprise architecture of the future. The Open Group members are exploring ways to visualize information risk and security in meaningful ways to non-technical professionals.- Architecture for control can and should be better developed. Control requires architected means to monitor, detect and correct for deviations from the control objective. Developing architectural viewpoints suitable for a wide range of audiences could be developed as part of the Open Group's already industry-leading TOGAF architecture standards.

The modern information security governance team must consider economic, policy and technical factors impacting their organization's security architecture. The team must also represent all the different views needed to sustain the various stakeholders involved. Security as a combination of "people, processes and technology" is nowhere more evident than in the control of information across enterprise perimeters. Corporate legal, corporate policy and internal audit are now among the key stakeholders in a corporation's security architecture. Previously, the needs of these stakeholders have not been well articulated within the architecture community, but they need to be. C-level security practitioners must lead the way. ##

Mike Jerbic chairs The Open Group Security Forum and is a member of the American Bar Association's Business Law Section and many other technical professional associations. He holds bachelors and masters degrees in Electrical Engineering, with emphasis on controls and systems, from the University of California at Berkeley. With over 20 years' experience in hardware and software product development, engineering management, and IT project management, Mike's interest area is in solving complex, multi-faceted problems that require a varied background and experience to solve, such as the control of electronic chattel paper.

For further information, please find the full Open Group "Information Security Strategy, 1.0 - A Framework for Information-Centric Security Governance" white paper at http://www.opengroup.org/bookstore/catalog/w075.htm.

Copyright © 2008 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022