IT security demystified

Updated 10.12.11

IT as a profession when compared to other professions is relatively new. As such even 10-15 years ago, many ‘control measures’ used within the profession currently either did not exist or were not used by many organisations. I will use the word ‘control measures’ to describe all the standards, laws, frameworks and best practice guidelines as a collective for the purpose of this blog post. As the profession has matured, a plethora of ‘control measures’ have continued to emerge and organisations have adopted these ‘control measures’ as their IT has matured. The purpose of today’s blog post is to clarify these ‘control measures’ to aid further adoption where required. All these ‘control measures’ arrive with a caveat however. Organisations need to find an acceptable level of ‘control measures’ that ensure that the organisation is adept at dealing with security threats and any prevailing laws that affect it, locally or globally. If organisations are not careful, they could spend unnecessary amounts of time implementing different but complementary ‘control measures.’ The best is to find happy mediums that will allow the organisation to meet its business objectives without spending too much time on ‘control measures.’

This is a topic for another day but I have seen many organisations’ spend enormous amounts of time on preparing the ‘perfect’ business case consisting of 100’s of pages and not enough time on planning to ‘fit business requirements’ or actually actioning the project (too much planning, not enough action). The same is true for ‘control measures’, even with ‘control measures’ such as Sarbanes Oxley and Basel II, the banks still managed to crash the world economy (averted only by global governments leading ‘control measures’). Let’s also not forget that no system is completely 100% secure either! I will cover as much as I can today and hope that if I miss anything, my readers can engage as usual and assist in not only filling in the blanks but making it a truly interactive discussion.

According to the Symantec 2010 state of enterprise security study (Click here for 2011 study)  You Tube 2010 (Click here for You Tube 2011), 75 % of organisations are losing on average $2 million annually ($2.8 million for the largest ones).The study found that 42 percent of organisations rate security their top issue. This isn’t a surprise, considering that 75 percent of organisations experienced cyber attacks in the past 12 months. These attacks cost enterprise businesses an average of $2 million per year. Organisations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues. The study is based on surveys of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries in January 2010.’ Symantec’s study found that organisations are exploring approximately 19 different standards or frameworks and are using 8 of them. I am predominantly covering these 8 and a few others.

Firstly, let me quickly define the four ‘control measures’ that I will be using (Courtesy of Dictionary.com):

1. Standards:

Something considered by an authority or by general consent as a basis of comparison; an approved model.

2. Frameworks or Best practice guidelines:

I. Frameworks – A set of assumptions, concepts, values, and practices that constitute a way of viewing reality.

II. Best Practice – A technique or methodology that, through experience and research, has reliably led to a desired or optimum      result. For example, a manual documenting best practices in the industry.

My research shows that these two terms are used inter changeably, so to avoid further confusion, I will be bundling them together.

3. Law:

Any written or positive rule or collection of rules prescribed under the authority of the state or nation, as by the people in its constitution. For example, statute law.

There is a good article in this week’s Computing regarding IT security that mentions a book by Alan Calder ‘IT Governance: a manager’s guide to information security and BS7799/ISO17799.’ The book is on my ‘to read’ list now and is the selected text for Open University’s Information Security Management Course, according to the reviews.

1. Standards:

I. ISO 27001 consists of two parts. ISO/IEC 27001:2005 (formerly BS 7799-2:2002) that specifies Information Security Management  and ISO/IEC 27002:2005 (previously named ISO/IEC 17799:2005) that specifies the code of practice for Information Security Management. An important aspect to remember regarding this standard is that it replaces and incorporates the old BS 7799 standard. In my opinion, this standard should be adopted by most organisations, especially global players.

II. ISO/IEC 20000 defines the requirements for a service provider to deliver managed services. ITIL provides good practice guidelines, advice and options that can be selectively adopted and adapted. ISO/IEC 20000 is a standard in two parts. Part 1, ISO/IEC 20000-1 is the distillation of the “must do” practices of service management. Part 2, ISO/IEC 20000-2 is a code of practice giving advice. Achieving ISO/IEC 20000 is undertaken when organisations want to test and prove they have adopted ITIL advice.

III. Basel II is the second of the Basel Accords that are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision (BIS). The purpose of Basel II, is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face. Basel II holds financial institutions accountable for the economic consequences of high operational risk (e.g., the neglect of data security) and helps reap the economic rewards of lowering operational risk (e.g., the deployment of data security measures). Within its three “pillars” of thought—(1) Minimum Capital Requirements; (2) Supervisory Review; and (3) Market Discipline—Basel II addresses several key security requirements.

IV. PCI DSS – The Payment Card Industry Data Security Standard . The Payment Card Industry (PCI) data security framework was created by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Prior to 2004, each of the associations had a proprietary set of information security requirements which were often burdensome and repetitive for participants in multiple brand networks. The associations subsequently created a uniform set of information security requirements for all national card brands. These requirements became known as the PCI Data Security Standard (PCI DSS), governing all the payment channels: Retail, mail orders, telephone orders and e-commerce. The PCI DSS framework is divided into 12 security requirements.

V. The Standard of Good Practice for Information Security is compiled by the Information security forum with 300 member organisations globally. According to its website:

‘Included in the Standard are topics that are extremely important to many organisations including:

  • Controls aimed at complying with legal and regulatory requirements, such as Sarbanes-Oxley Act 2002, the Payment Card Industry (PCI) Data Security Standard, Basel II 1998, and the EU Directive on Data Protection.
  • Coverage of all the main security controls in other major information security-related standards, such as ISO/IEC 27002 (17799) and COBIT.
  • ‘hot topics’ in information security, such as Threat Horizon, Digital Rights Management, Eurosox and Virtualisation (e.g. reflecting the output from ISF Briefings and ‘Future Watch’ projects).’

2. Frameworks or Best practice guidelines

I. ITIL (UK) – The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for managing Information Technology (IT) services (ITSM) that includes security management. It describes the organisation of IT resources to deliver business value, documents processes, functions and roles in IT Service Management (ITSM). ITIL introduced the concept of service desks intended to provide a Single Point of Contact and a common database to meet the communication needs between the users and IT providers. The original version of ITIL was developed at the same time as, and in alignment with BS 15000, the former UK standard for IT Service Management. BS15000 was fast-tracked in 2005 to become ISO/IEC 20000, the first international standard in ITSM.

II. COBIT (USA) – The Control Objectives for Information and related Technology is a set of best practices (framework) for information technology (IT) management and is complementary to ITIL. It is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. To read how ITIL, COBIT and ISO 17799 can be aligned, Click here. ISACA have recently made available mapping ITIL V3 to CoBit 4.1, click here for more details.

III. CIS – (The centre for Internet security) provides benchmarks for best practice standards for security configurations. When the Payment Card Industry Data Security Standard (PCI DSS) published its requirements it cited CIS Benchmarks.

3. Law (for more information, please refer to my previous blog post International and UK Law and how it relates to IT and Computers):

I. HIPAA (USA)The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (enacted by US congress in 1996).  It protects health insurance coverage for workers and their families when they change or lose their jobs. The Security Rule is a key part of HIPAA. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.

II. Sarbanes Oxley (USA)The bill was enacted as a result of major corporate accounting scandals including Enron and WorldCom. According to Mark Rasch, ‘IT security is important under SOX only to the extent that it enhances the reliability and integrity of that reporting. Because of SOX’s reliance on controls, the Committee of Sponsoring Organizations of the Treadway Commission (headed by former SEC member James Treadway) developed a series of controls for financial processes which are now known as the COSO guidelines. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. For IT auditors, the relevant guidelines are COBIT (Control Objectives for Information and Related Technologies) which is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. (In the UK, there is the IT Infrastructure Library, published by the Office of Government Commerce in Great Britain which compliments COBIT.) These are a series of IT controls which should be in place in order to make such a SOX certification with respect to IT.’

III. Data Protection Act (UK) 1998 – Defines UK law on the processing of data on identifiable living people (extended the scope of data protection beyond automatically processed data). It was enacted to bring UK law into line with the European Directive of 1995 that required Member States to protect people’s fundamental rights and freedom, in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves. In terms of IT security the data needs to be Secured against accidental loss, destruction or damage and against unauthorised or unlawful processing – this applies even if the business uses a third party to process personal information.

In summary, Symantec’s study found that organisations are exploring approximately 19 different standards or frameworks and are using 8 of them. This is without taking into account specific areas and industries. Any organisation’s IT security strategy should take into account these three areas of standards, Frameworks or Best practice guidelines and law and ensure that it selects appropriately from within these three areas. On going developments such as the recent health care reform bill (USA) will continue to have their own implications on IT security.

Advertisements

Prepare to mashup

Links updated 12.12.11

The majority of this article has been ‘mashed-up’ courtesy of four IET articles that appeared in issue 5, 24th March edition.

Mashup is a relatively new concept that originated within the computer industry in the early 2000’s. ‘Raj Krishnamurthy (Chief Architect at JackBe Corporation) and Deepak Alur (VP Engineering at JackBe Corporation) started working on Enterprise Mashup Markup Language (EMML) in 2006. Their objective was to enable user-oriented and user-enabled mashups by creating what was then a new type of middleware called an Enterprise Mashup Platform. Raj Krishnamurthy became the chief language designer and implementer of EMML and also led the team to create an Eclipse-based EMML IDE called Mashup Studio.[7] This work evolved into the EMML reference implementation that was donated to the Open Mashup Alliance. Raj Krishnamurthy continues to be one of the key contributors to EMML through the Open Mashup Alliance’ – (Wikipedia –Enterprise Mashup Markup Language – EMML).

‘Mashups were first used in the early 2000s to describe music tracks created by blending parts of songs from different genres – for example, taking the vocals from a rock song and laying them over a hip-hop beat’ – (IET – A sophisticated mess?). ‘Mash-up platforms comprise three elements: software components that help users source and display different types of data, like portlets, widgets or gadgets; tools that allow developers to create mash-ups for others to use; and an underlying software infrastructure to manage, secure and maintain the new data combinations’. ‘Mash-ups were harnessed by inventive Internet consumers and explorative Web developers who monkeyed around with the technology on a largely experimental basis; but businesses soon caught on to the potential of mash-ups’ practicality and ease-of-use. This led software vendors to design mash-up creation tools.’

‘Indicators agree that the potential for market growth is there, in part inspired by the ‘open ethos’ re-use/re-service approach promulgated by service-oriented architecture (SOA) technology. Research company Forrester reckons that sales of this type of software were worth a modest £106m in 2008; the figure is forecast to reach £1.14bn by 2013.’ (IET – Mashup tools: enterprise enablers for the mashed age.)

”Mash-up’ has become more commonly associated with the merging of software, in particular websites or applications built using content from more than one source to create a new service. Typical examples include Nightfeed (www.nightfeed.com), which combines social networking sites such as Facebook with Google maps to help you find the most popular nightlife in your area; Twittervision (www.twittervision.com), which displays Twitter posts on a global map in real time; and SoupSoup (www.soup-soup.net), a news mash-up that complements stories from the BBC, CNN and other sources with articles from Wikipedia and pictures from Flickr. Since you don’t need a degree in computer science to build a mash-up and the tools to do so are readily available, there are already thousands of such applications on the Web, covering everything from shopping to real estate.’ (see IET – A sophisticated mess?‘).

‘Web mash-ups hardly represent a technological revolution, but they are likely to play a big role in shaping the future of the Web. Today’s Web is all about participation and the collective experience – applications that can be easily adapted to allow users to manipulate data will be key to how it evolves. Take the Google Mobile Application for the iPhone, which uses speech recognition technology to allow you to search the Web. Suddenly you’re interacting with the Internet by talking to it, which makes a keyboard interface seem a little old-fashioned.’

”The smartphone revolution has moved the Web from our desks to our pockets,’ says Tim O’Reilly, software guru and founder of the computer book publisher O’Reilly Media. ‘Our phones and cameras are being turned into eyes and ears for applications.’

‘The trickiest transition for any new generation of computer application is that from nascency to immaturity. For mash-up developers the potential for significant market take-up seems evident – mash-up plus-points carry much force in the context of business IT – yet even as the factors for success fall into place, the ‘tipping point’ still seems a way off. The mash-up proposition holds attractions for enterprise IT, especially the potential to enable task-specific browser-based applications (relatively) quickly and cheaply, that energise existing corporate information by combining it with external data sources and other resources online.’

The mash-ups model is also claimed to be adept at integrating data already ‘siloed’ inside an organisation, and enterprise IT strategists will like the fact that mash-ups applications are scalable. But these qualities are for nothing if no standards exist to validate them.’

‘‘Mash-ups are not, of course, completely dissociated from industry standards. They work on standard browsers and are based on open-source software elements; this may or may not be a good thing, depending on an organisation’s stance toward open-source. Some IT leaders recognise the benefits of open-source and embrace it; others think that the compatibility problems it can cause make it more trouble than it’s worth.’

‘The mash-up ethos is strongly predicated on ‘openness’, both in respect to code accessibility and toward data ownership, but even very open-minded open-sourcers may want to see standards-driven controls. The focus here centres around user demand driving better standards and this encouraging adoption.’

‘According to mash-up standards doyen Dion Hinchcliffe, founder of Enterprise 2.0 firm Hinchcliffe & Co, demand-driven interest is pressuring the standards process. ‘As business conditions increase the internal demand to leverage untapped corporate knowledge, mash-ups offer a model that aligns to the needs of the business by connecting workers to resources they need,’ he says. ‘[They] allow for the easy creation of inexpensive, ‘situational’ applications that can now fall inside resource, budget and time [targets] that were difficult to meet with older generation techniques.’ (IET – Mashup standards: crucial to enterprise acceptance)

‘Market watcher Gartner has categorised the benefits of emerging mash-up tools to corporate buyers into five elements: application flexibility; faster application delivery; development productivity; end-user empowerment; application innovation. That flexibility is perhaps best shown when a single mash-up interface is used to replace multiple different applications which would otherwise have to be used simultaneously to display the same data.’

‘Pharmaceutical company Pfizer, for instance, uses an Intranet-based business intelligence (BI) mash-up to deliver ad hoc query, forecasting, planning, and modelling to its product research executives making investment decisions.’

‘The mash-up is based on Composite Software’s Information Server platform, which takes information from factory, project and portfolio management, inventory and supply chain databases, and uses a combination of other tools, including BusinessObjects WEBi reports, Spotfire DecisionSite analystics, SharePoint Designer and ASP net pages for presentation.’

‘Mash-ups also allow Pfizer to develop new software tools which help Pfizer’s researchers share information more quickly, and let end-users configure their own mash-ups and test them out before they go into production.’ – (IET – Making mash-ups)

As governments’ release their data sets, it will become increasingly easier to create mashups from government data. ‘These include Openly Local (Replaces planningalerts.com), a free service that emails you if someone has put in a planning application to build near your house (although to be fair it launched before the government’s move). FillThatHole lets people report potholes and other road hazards across the UK, using location data from the Office for National Statistics.’ – (Techcrunch)

For more, please also read – IET – Managing mash-ups and The 10 Best Mashups on the Web

Michael Dell’s (CEO Dell) management style and CIOs

Today’s article is the second in a series of articles (First was written on Steve Job’s – Apple CIO) analysing current and past leaders to ascertain how Chief Information Officer’s (CIOs) can learn better management by applying the management practices of leadership, practiced by these leaders. It is interesting to note new technology leaders are remarkably similar in many ways. I’ll leave you to decide on their similarities.

PS: CIO is a generic term and other analogous titles are Head of IT, IT Director, Director of IT etc.

The Management Style

Michael Dell started his empire from his bedroom with $1000. Let’s see what CIOs and general management can learn from this icon of modern business and technology. (In no particular order and a few other sources utilised):

1. Constant analysis: Michael Dell (MD) – “There are a lot of things that go into creating success. I don’t like to do just the things I like to do. I like to do things that cause the company to succeed. I don’t spend a lot of time doing my favorite activities. What matters is our future plan of action. We are systematically moving to increase efficiencies, improve execution and transform the company. I constantly adjust my approach and way of doing things based on all the inputs and opportunities that I see.”

Successful businessman and leaders are constantly looking to improve their business. MD utilises this to maximum advantage. It is through constant analysis that Dell successfully started its own range of printers. From the early days, MD realised that a business MUST support itself from revenue generated and not through financial borrowing.

2. Family commitment: MD – “I think we make a priority to bring balance into our lives. To me, family is very important. So if you look at my schedule, one of the things I realized a long time ago is that there is a limit to how much productive work you can actually do in a given week. There’s also the happiness factor; if you want to do something for a long time and be really good at it, you’d better have a strategy that is sustainable and works within what’s going on in the rest of your life. For me that means that I’ve got to have time with my family; I’ve got to have time to exercise; I’ve got to have time to sleep; I’ve got to be able to take my kids to school.”

This is an aspect of life that I firmly believe in as well. Time cannot be turned around or replaced. It is very important that we spend time with spouses and spend time with our children. As they grow up we have to ensure that they become responsible and active citizens. A work/life balance is crucial and ensures that we work optimally.

3. Spotting opportunities: MD – “I do believe that you must find something you’re passionate about and follow your interests – not what others tell you to do.

We need to spot opportunities for improvement. It is not enough, however, just to spot them, the onus is to spot them and then to create an environment to leverage that opportunity and make it happen.

4. Business/IT Strategy: MD – “First of all, don’t start a business just because everybody else is doing it or it looks like it’s a way to make a lot of money. Start a business because you found something you really love doing and have a passion for. Start a business because you found something unique that you can do better than anyone else. And start a business because you really want to make a big contribution to society over a long period of time.”

When people enjoy their work, it is always more productive. Create an environment that encourages employees to deliver to their best capabilities. An environment that is not reliant on an individual’s contribution but where people work together, feel valued, are rewarded as a team and therefore can work towards a better future for the organisation.

5. Know your business and innovate: MD – “There are so many sectors of technology that are in different stages of development and maturity. If you want to be a part of that or create a masterfully successful company, that’s usually not done by replicating something which already exists. To create a real breakthrough, you have to do something which has never been done before or you have to do it in a way which is dramatically better than something that’s previously been done.”

The CIO and the entire IT department need to develop an innovative mindset. IT needs to help the business by understanding each department and then helping that department through innovative use of technology. That assists towards building relationships and reinforces the transformational capabilities of IT.

6. When the going gets tough, investment in people always pays: MD- “First, if you try to control things, that’s self-limiting. The easiest way to think about this is that if all the decisions inside an organization had to roll up to the center of the company or to one person, it’s a massive bottleneck. I believe in rules and having some order to things, but my natural proclivity is not to control everything myself. I am more inclined to provide frameworks and guidelines.”

One person alone cannot handle everything. The secret is to surround yourself with employees that are smarter than yourself. These smart people will challenge organisations and force them to think differently. I covered this, under mobility of management when I covered; can IT Management failure be caused by a deadly disease? Part II. CIOs need to understand the importance of retaining and investing in people as one of the business’s most important assets is yet again confirmed by another business leader.

7. Success in general may be built on failure: MD -. “I would say a few things. First, don’t be afraid to make mistakes. That’s how you learn, so I believe a lot in trio al and error and course corrections. Often companies are unwilling to admit when they’ve made a mistake. We tend to question things more in our business.                                                           

Businesses in general do not tolerate failure and that cascades down to the employees. Employees are encouraged to succeed at all costs. Yet, both at Apple and Dell, failure is accepted as a route to success. Dell’s venture into personal organisers (The Axiom) was not successful but its move into the printer market has been successful. The secret is to learn from your mistakes, put them behind you and move on.

8. Learning: MD – “Continuous learning is also important.”

All great leaders have made it a habit to constantly learn. MD visits the companies that impress him by paying them a visit to learn how to improve himself and Dell. Other leaders such as Bill Gates are very well read and read books to improve their knowledge. The knowledge of all great minds, past and current, is available. It is upon us to seek that knowledge.

The three principles (3C’s) for successful internet businesses.

Approximately 10 years ago, MD outlined three principles that internet businesses should adopt. Many of these have been adopted and enhanced and are reproduced for you to make your own conclusions.

1.        Content

“The first stage of content means providing compelling information. This is how we started our online operations in 1993, when we put our technical databases online for customers to access. It was a relatively simple start, but it showed us the tremendous interest from our customers. By content, we mean bringing information online. Anytime you have a form, a manual, or a document, put it online. This is the foundation of any Internet strategy. Once we brought information online, it became clear to us where the opportunities were in the transaction world: simple things like order status and commerce, and we have added more complex things over time. The key, again, is that it is experiential and you learn by doing.”

2.       Commerce

“The next stage is commerce, which should be thought of as all transactions, not just buying things over the web. In fact, our first activity in this area had nothing to do with purchasing. It was simply order status. Our ultimate goal is to deepen relationships with customers by providing added convenience, efficiency, and cost savings, and a wider array of services. The Internet creates an opportunity to move these key transactions online and drive transaction cost to almost zero.”

3.       Community

“The final stage is developing an online community. We are building two-way relationships over the web with both our customers and our suppliers. Establishing communities of suppliers and end users that share common interests. In summary, the Internet is changing the face of the entire economic and social structure of not only this country but the entire world, and governments have a great opportunity to embrace it. We are seeing a transition from a brick-and-mortar government to an online government. The advantages will include things like velocity, efficiency, and a better customer experience.”

It is appropriate to conclude this blog post with a quote from Michael Dell himself on his competitive strategies “speed to market; superior customer services; a fierce commitment to producing consistently high quality, custom-made computer systems that provide the highest performance and the latest relevant technology to our customers; and an early exploitation of the Internet.”