Preventing Data Breaches Starts with Benchmarking the Information Security Function
To create an effective information security incident response capability, banks need to first understand where they are in terms of security readiness. Benchmarking the information security program is one of the most difficult and important tasks a chief information security officer will face. That task has gotten easier now with the publication of a set of incident management capability metrics by the Software Engineering Institute of Carnegie Mellon University.
The metrics provide a baseline of incident management practices. The incident management functions, provided in a series of questions and indicators, define the actual benchmark. The questions explore different aspects of incident management activities for protecting, defending, and sustaining an organizationâ€™s computing environment in addition to conducting appropriate response actions.
Successful management of incidents that threaten an organizationâ€™s computer security is a complex endeavor. Frequently an organizationâ€™s primary focus on the response aspects of security incidents results in its failure to manage incidents beyond simply reacting to threatening events.
The need for such management is pointed up by the recent breach at TJX and other incidents. More than 73% of companies that experienced data breaches do not invest in event management security tools, and 65% are not taking steps to control endpoints to their organizationâ€™s systems or networks, according to a survey released in May 2007 by Ponemon Institute. More than 57% did not have an incident response plan in place before the breach occurred.
The Software Engineering Instituteâ€™s benchmarking methodology consists of will provide an overview of four major categories: protect, detect, respond, and sustain. In each of these categories, the organization must have defined procedures and methods to perform the function; the staff with the requisite knowledge, skills, and abilities to perform the tasks and activities; and the infrastructure with appropriate tools, techniques, equipment, and methodologies to support that work.
The Protect process relates to actions taken to prevent attacks from happening and mitigate the impact of those that do occur. Preventative actions secure and fortify systems and networks, which helps decrease the potential for successful attacks against the organizationâ€™s infrastructure. Such steps can include implementing defense-in-depth and other best security practices to ensure systems and networks are designed, configured, and implemented in a secure fashion; performing security audits, vulnerability assessments, and other infrastructure evaluations to identify and address any weaknesses or exposure before they are successfully exploited; and collecting information on new risks and threats and evaluating their impact on the organization.
Mitigation involves making changes in the enterprise infrastructure to contain actual or potential malicious activity. Such actions might include making changes in filters on firewalls, routers, or mail servers to prohibit malicious packets from entering the infrastructure; updating IDS or anti-virus signatures to identify and contain new threats; and installing patches for vulnerable software.
In the Detect process, information about current events, potential incidents, vulnerabilities, or other computer security or incident management information is gathered both proactively and reactively. In reactive detection, information is received from internal or external sources in the form of reports or notifications. Proactive detection requires actions by the designated staff to identify suspicious activity through monitoring and analysis of a variety of logging results, situational awareness, and evaluation of warnings about situations that can adversely affect the organizationâ€™s successful operations.
The Respond process includes the steps taken to analyze, resolve, or mitigate an event or incident. Such actions are targeted at understanding what has happened and what needs to be done to enable the organization to resume operations as soon as possible or to continue to operate while dealing with threats, attacks, and vulnerabilities.
Respond steps can include analysis of incident impact, scope, and trends; collection of computer forensics evidence, and development and release of alerts, advisories, bulletins, or other technical documents.
The Sustain process focuses on maintaining and improving incident management capability itself. It involves ensuring that the capability is appropriately funded, incident management staff are properly trained, infrastructure and equipment are adequate to support the incident management services, and appropriate controls, guidelines, and regulatory requirements are followed to securely maintain, update, and monitor the infrastructure.
Metrics are not a precisely defined path for every organization to build the perfect incident management capability, but can serve as a baseline for determining the effectiveness of teams, based on approaches used by other entities.
The publication can be downloaded at Incident Management Capability Metrics .