Aligning information security with IT operations to help meet business objectives in a demonstrable way is easy to say and hard to do. Based on several years of benchmark research, there are a set of proven, sound practices that allow enterprise IT operations and security teams to effectively operate and maintain production systems and meet security-based compliance requirements while providing new business-driven services [Kim 08].
In this podcast, Gene Kim, CTO for Tripwire and a founder of the IT Process Institute, discusses specific steps for integrating information security and IT operations based on benchmark results from high performing organizations. This work is described in ITPI's recently published book Visible Ops Security: Achieving Common Security Objectives in Four Practical Steps.
Since Gene's first podcast (Change Management: The Security 'X' Factor), he has been involved in a substantial benchmarking effort with the IT Process Institute titled "IT Controls Performance Study." Based on data from over 330 IT organizations, the study identifies the foundational controls that have the greatest impact on IT operations, security, and audit performance.
This study provided insight and data for a recent ITPI publication titled Visible Ops Security: Achieving Common Security Objectives in Four Practical Steps. We discuss key findings from this work (SVO) in this podcast.
The Disconnect Between IT Operations and Security
IT Operations (IT) can make life difficult for Information Security (IS), for example by deploying an insecure component into production. This could result from:
When IT Operations can't achieve their own goals, they certainly cant achieve security goals.
IS can sometimes make life more difficult for IT by unintentionally creating controls that add bureaucracy and overhead. This can create a backlog and delays if security is the last step in the review cycle before software is scheduled to go into production.
IS involvement, in this case, can hold up critical IT projects.
The Disconnect Calls for Business Leader Attention
IT and IS are getting in each other's way while both fail to achieve their objectives:
IT isn't providing a reliable, stable, secure IT production environment.
IS isn't safeguarding the business' goals, objectives, and information. This can include:
Making Security a Business Issue for IS and for Business Leaders
Business leaders need to specify information security objectives from a business perspective. These may include:
Security Is About More Than Compliance
IS is often perceived as irrelevant, bureaucratic, not aligned with the business, and too focused on technical details.
It is important to understand what IS looks like when it is providing value to the organization, such as when it enables global supply chain partnerships. The next section describes what high performing IT and IS organizations do to add business value.
Key Roles for IT and IS
There are two primary roles:
Characteristics of High Performing IS Organizations
As part of the IT Controls Performance Study, Gene's research team identified the following characteristics for high performing IS organizations:
These characteristics were evidenced in organizations of all sizes across sectors.
Gaining Situational Awareness
The first phase in Visible Ops Security (Stabilize the Patient and Get Plugged into Production) stresses the importance of IS being aware of its business and IT environment. This includes getting plugged into production and becoming a key player in how the organization operates identifying the critical stakeholders and major projects.
Getting plugged into production involves making sure IS is integrated into the change management process managing by fact, ensuring all changes are authorized, and adding value to the process.
IS helps create the right tone at the top by making sure IT management takes decisive action when people make unauthorized changes.
Through these steps, IS helps the organization substantiate the effectiveness of controls for audit and compliance activities.
So situational awareness means:
The remaining steps in SVO Phase 1 include:
The idea throughout SVO is to ensure that security controls are fully integrated into mainstream IT operational processes.
Addressing Security from a Risk Perspective
During the early days of SOX-404 compliance efforts, IT was spending an excessive amount of time testing controls that ended up not contributing to accurate financial statements. This was a key lesson learned.
The Institute of Internal Auditors GAIT project helped codify how to appropriately scope the IT-relevant portions of SOX.
Visible Ops Security Phase 2 (Find Business Risks and Fix Fragile Artifacts) reflects what was learned here about using risk as the basis for control ranking, prioritization, and selection.
The important message here is to focus on the few controls that really matter, using knowledge of key business processes to identify where they are dependent on critical IT functionality. Then IT can focus on making sure these controls are working effectively.
The Concept of Fragile Artifacts
Fragile artifacts are pieces of IT infrastructure that are prone to break, have high business outage costs, and/or have high mean time to repair. Fragile means operationally fragile, as well as fragile with respect to demonstrating compliance or meeting internal control objectives for financial reporting.
Fragile is synonymous with "risky," so it is a useful concept in helping prioritize where IS and IT should focus their attention.
Implement Development and Release Controls
SVO Phase 3 describes how to integrate IS into upstream development processes to ensure that software that goes into production is secure and of high quality.
IS needs to work with project management to, among other things, help codify security standards, help train development staff on them, create a library of secure, reusable code, and integrate with the quality assurance function to help test for information security risks.
It is important for IS to have an informal relationship with internal audit (IA) as well, given IA's perspective on organizational risks. This collaboration can result in fewer audit findings, few repeat audit findings, and less time addressing audit findings.
Measuring Progress and Outcomes
Each phase of SVO describes outcome measures and metrics that are useful for demonstrating progress and results. Some of Gene's favorites include:
The IT measures are further elaborated in The Visible Ops Handbook: Starting ITIL in 4 Practical Steps, published in 2004.
[Kim 07] Kim, Gene; Love, Paul; Spafford, George. Visible Ops Security: Achieving Common Security Objectives in Four Practical Steps. IT Process Institute, 2008.
"An Introduction to Security Visible Ops with Gene Kim." Tripwire Webcast.
Behr, Kevin; Kim, Gene; Spafford, George. The Visible Ops Handbook: Starting ITIL in 4 Practical Steps. IT Process Institute, 2004.
The IT Process Institute