Change is not an easy process for IT organizations, especially when that change pertains to the security of IT infrastructure components and deals with end users. Implementing change and getting acceptance or buy-in for the roles, responsibilities, and accountabilities for information security is paramount. This is critical because of the separation of duties, given the seven areas of information security responsibility. This separation of duties is the result of a defense-in-depth approach to securing the IT infrastructure, where the duties, tasks, roles, responsibilities, and accountabilities are distributed in a layered fashion across the organization. Security controls, procedures, and guidelines must be fully understood to mitigate risk.
The staffing and information security expertise that is needed to support the roles, tasks, responsibilities, and accountabilities throughout the IT infrastructure encompasses many areas in information technology. The seven areas of information security responsibility require full cooperation and understanding of each person's responsibilities and accountabilities in the information security chain of defense. Many organizations lack the experience and expertise in information security and are forced to either get the proper training or obtain assistance from consultants to fulfill the new roles, tasks, responsibilities, and accountabilities. To adequately address the information security requirements of an IT organization, specific expertise in the seven areas of information security responsibility is required:
- User area This area refers to the organization's acceptable use policies (AUPs) and that employees, consultants, contractors, and third parties must sign the AUPs to be granted access to the organization's IT resources.
- Workstation area This area refers to the end user's desktop devices, such as a computer, VoIP telephone, or PDA device. Workstation devices require a significant amount of vulnerability and software patch management to maintain the integrity of the device.
- LAN area This area refers to the physical and logical local area network technologies (for example, 100Mbps switched Ethernet, 802.11 family of wireless LAN technologies) used to support workstation connectivity to the organization's network infrastructure.
- LAN-to-WAN area This area refers to the organization's internetworking and interconnectivity point between the LAN and the WAN network infrastructures. Routers, firewalls, demilitarized zones (DMZs), and intrusion-detection systems (IDS) are commonly used as security monitoring devices.
- Remote access area This area refers to the authorized and authenticated remote access procedures for users to remotely access the organization's IT infrastructure, systems, and data.
- WAN area Organizations with remote locations require a wide area network connection. Organizations typically outsource WAN connectivity from service providers for end-to-end connectivity and bandwidth. This area typically includes routers, circuits, switches, firewalls, and equivalent gear at remote locations.
- Systems/applications area This area refers to the hardware, operating system software, and application software. IT servers, systems, applications, and data assets are typically hosted in a data center and/or in computer rooms.
Many organizations require information security staff augmentation or outsourced, managed security services because of a lack of qualified information security resources. Training internal employees in information security or hiring information security consultants is certainly one way to obtain some information security knowledge. This strategy coupled with outsourcing managed security services is commonplace given the complexity of information security. Today, many organizations outsource elements of their information security responsibilities to managed services providers who specialize in outsourced security monitoring and assessment services.
Seven Areas of Information Security Responsibility
Specific to these seven areas of information security responsibility are the following requirements for IT personnel regarding roles, tasks, responsibilities, and accountabilities:
- Roles/Tasks This area pertains to granting authorized access to the organization's IT infrastructure, resources, and assets for employees, contractors, and other third parties who must review, sign, and execute the organization's AUPs for Internet access, email usage, and access to the organization's computer resources.
- Responsibility The responsibility for obtaining the appropriate AUPs prior to commencing any work and access to the organization's IT infrastructure, resources, and assets lies with the organization's human resources department.
- Accountability The organization's human resources department is typically accountable for obtaining, verifying, and auditing each employee's, contractor's, or other third party's properly submitted AUPs and agreements.
- Roles/Tasks This area pertains to maintaining and updating user workstations and devices (hardware, software, firmware, operating systems, software patches, memory, and so on) that are authorized and approved for access and connectivity to the organization's IT infrastructure. Specifically, workstation operating systems, antivirus software updates, and other workstation configuration standards must be kept current and validated to maintain the integrity of the end user's workstation. Workstation client software used for remote access and security is also part of this area.
- Responsibility The responsibility for maintaining and updating the user workstations and devices is the responsibility of the IT support personnel for that department or the IT organization's workstation technicians. Technology standards must be followed to maintain the integrity of the organization's workstations.
- Accountability Each department's IT manager or the IT organization's director of desktop technology will be held accountable for verifying, validating, and updating the organization's workstation configurations, identifying gaps or deficiencies, and ensuring that any deficient workstation, operating system, software patches, and antivirus software updates are updated and made compliant to the IT organization's policies and standards.
- Roles/Tasks This area pertains to the physical local area network infrastructure elements, wiring, hubs, switches, wireless access points, and the physical connection to the departmental or building local area network systems. In addition, this area pertains to the logical workstation-to-LAN connection via an authorized logon UserID and password for access to the departmental LAN server. This is also typically the first level of authentication required for end users to access the organization's IT infrastructure.
- Responsibility Maintaining, updating, and providing physical connectivity for workstation devices to a departmental LAN system is the primary responsibility of the IT organization's LAN or networking department. This responsibility includes the workstation wiring, LAN hub or switch port access, and physical connectivity or wireless access point connectivity to the departmental or system LAN server. Maintaining, updating, and providing ongoing support for LAN server system administration is the responsibility of the respective IT organization's LAN system administrators or LAN managers.
- Accountability The accountability for maintaining, updating, and providing ongoing technical support for the LAN area and complying with the IT organization's policies and standards pertaining to LAN and network technology lies with the IT organization's director of LAN or network technology.
Remote Access Area
- Roles/Tasks This area pertains to the organization's end users who must remotely access the IT infrastructure via an authenticated connection through the Internet, dial-up, or other means of connectivity (for example, authorized users from home or other remote location). In addition, this area pertains to the logical workstation-to-network connection via an authorized logon UserID and password for access to state-owned resources and systems. Remote workstations that require client software for VPN support and/or intrusion-detection monitoring are also part of this area.
- Responsibility The responsibility for defining the security requirements and standards for authorized remote access resides with the IT organization's WAN department. Remote access responsibilities include implementing, maintaining, updating, and providing ongoing support for remote access system administration, authentication, and availability.
- Accountability Accountability for defining and evaluating remote access standards and technologies, as well as implementing, supporting, and ensuring that the IT organization's policies and standards are followed, lies with the director of WAN or network technology.
- Roles/Tasks This area pertains to the router, firewall, and intrusion detection monitoring device (if applicable) that interconnects the LAN to the WAN. Router configuration, firewall configuration, design of a DMZ, system monitoring, intrusion detection monitoring, and ongoing system administration for the router, firewall, and intrusion detection system are part of this area.
- Responsibility The responsibility for the IT organization's routers, configuration, and maintenance resides within the WAN department. The responsibility for all firewall configuration and monitoring and intrusion detection devices resides with the IT organization's IT security department (if applicable); otherwise, this responsibility typically resides with the WAN department.
- Accountability The accountability for maintaining, updating, and providing ongoing technical support for routers, firewalls, and intrusion-detection monitoring and ensuring that this area is in compliance with the IT organization's policies and standards lies with the director of IT security or the director of WAN or network technology.
- Roles/Tasks This area pertains to the wide area network that is to be deployed throughout the organization to interconnect its remote sites to a common network infrastructure. The wide area network comprises backbone circuits, NAP and POP switches, routers, firewalls, and end site devices (routers, CSU/DSUs, codecs, and so on) that will be installed at identified end-site locations.
- Responsibility Typically, a service provider provides the wide area network connectivity and in some cases a completely outsourced wide area network including CPE equipment and the management of the WAN and CPE equipment. If this is the case, Service Level Agreements (SLAs) are commonly used to define the service provider's responsibilities as they pertain to network bandwidth, performance, and the confidentiality, integrity, and availability of the WAN. Service providers typically provide a single point of contact as well as escalation procedures for circuit failures and outages. The IT organization's director of WAN or network technology is usually responsible for managing the relationship with the service provider.
- Accountability The accountability for managing the WAN service provider lies with the IT organization's director of WAN or network technology. The service provider, through documented SLAs, is responsible for maintaining, updating, and providing ongoing technical support, monthly network management reports, and SLA guarantees for all circuits, switches, routers and firewalls (outsourcing the configuration and management of firewalls may apply). Review of these monthly reports is the responsibility of the IT organization's director of WAN or network technology.
- Roles/Tasks The systems and application area consists of hardware, systems, application software, database software, and data. This area includes hardening the operating system software, configuring the servers and applications, and implementing security countermeasures. This domain typically encompasses all server platforms (mainframe, Unix, and Microsoft), as well as systems and applications that reside in the IT organization's data center.
- Responsibility The IT organization's systems and application system administrators and applications developers are responsible for maintaining and managing the hardware and systems software for the organization's production systems and applications. This responsibility includes establishing tools and techniques for ensuring the confidentiality, integrity, and availability of the hardware and systems software.
- Accountability The accountability for the organization's production systems and applications lies with the director of systems and the director of application development. The accountability for security of the systems and applications typically lies with the director of IT security and the data owner. The accountability for the production system's and application's compliancy to the IT organization's policies and standards lies with the director of LAN or network technology.
Many IT organizations are struggling to augment or educate their current IT staff in information security practices, procedures, and guidelines. Traditional IT job descriptions are being expanded to include the roles, tasks, responsibilities, and accountabilities unique for information security. In some cases, organizations are creating entire IT security departments within their existing IT organization. Other organizations put the IT security department outside of the IT organization and have them report directly to the chief security officer (CSO) and not the chief information officer (CIO). Training and certifying IT professionals in information security is paramount. Without the proper background, knowledge, and experience in information security, creation and implementation of an IT security architecture and framework is a difficult task. In addition, training the end users to be more security conscious is not an easy task and requires constant reminders and education to bring the security consciousness of the organization to a consistent level.