Chapter II: Aligning Assurance Requirements, Countermeasures, and Business

Introduction

The latest year-end statistics from the highly regarded CERT Coordination Center (CERT-CC) at Carnegie Mellon University once again demonstrate that there is little evidence of improvement in information assurance. The number of incidents reported to CERT-CC once again nearly doubled from the previous year, and for the first time exceeded the six-figure mark at 137,529 for 2003 (CERT, 2004).

Various surveys of the business community put the cost of information security breaches in the billions of dollars. One survey by security company Trend Micro put the cost of computer viruses alone at $55 billion worldwide in 2003 (Reuters, 2004). Another survey of government and corporate leaders from around the world by PriceWaterhouseCoopers and CIO Magazine stated that their top priority for 2004 would be to raise end- user awareness (CIO, 2003), which may indicate that emphasis across organizations, and from the top to the bottom, is still lacking.

Governmental organizations also continue to struggle with securing their information. Federal government agencies in particular continue to be cited for weak information security. A January 2003 report by the General Accounting Office (GAO) found that many agencies of the federal government had noted increased management attention to and accountability for information security since the enactment of the Government Information Security Reform Act in 2001, but Although improvements are underway, recent audits of 24 of the largest federal agencies continue to identify significant information security weaknesses that put critical federal operations and assets in each of these agencies at risk (GAO, 2004). This report specifically identified security program management and access control as the two most often identified weaknesses. In fact, security program management, defined by the GAO as the framework for ensuring that risks are understood and that effective controls are selected and properly implemented was the only area in which every one of the 24 major federal agencies audited was found to have weaknesses. This statistic was also unchanged from another GAO audit one year earlier.

Why is it that security program management remains a weakness across nearly every federal agency, and why is this concern also mirrored in the corporate world? One might wonder also how awareness can still remain a top concern, when the prevalence and impact of incidents is so widely reported. What are the hurdles that both government and industry face in institutionalizing information assurance and security in information-age organizations?

When many people hear the terms information assurance or security, they tend to think in terms of problems. Certainly, the mention of information assurance or security to many people today immediately reminds them of the problems that they personally or their organizations have suffered through with the latest rounds of malware. Others, sometimes in organizations that handle more sensitive or classified information, may immediately think of their perceived biggest problem, the insider threat.

More technically oriented individuals may say with a lot of conviction that the problem lies mainly in the widespread use and distribution of software that is inherently insecure . People who read a lot of popular publications and news stories may say that the big problem in information assurance today is anything wireless.

Blaming so-called hackers is so common that it is almost pass . And people who like to show us all that they are really big, strategic thinkers, looking boldly into their crystal balls to predict the future, may say that a new form of terror, cyber terrorism, is now upon us, and so this is a big, big problem.

This approach to information assurance is very reactive, at best, and quite possibly totally ineffective at the worst. In fact, it may be the antithesis of effective information assurance. Because labeling things that are in reality a few, among many, many possible threats to your information and information systems, or a few among many, many possible vulnerabilities within your information and information systems as the problem automatically excludes the context of the situation, ignores the information assurance requirements for that given situation, and will probably result in a patchwork approach to mitigating any future risk to your organization.

So if we delve a little deeper into the problems we may begin to ask some questions such as these. Have we done all that we could to cover all potential avenues by which viruses, worms, and other malware could be introduced into our environment?

What do we do to determine whether a potential new hire, or a long time employee could possibly be a malicious inside threat? And also, what are we doing on an ongoing basis to mitigate the non-malicious insider?

Do we really need to make our organization part of a global betatest of the latest version of Server Software X before we have some assurance of its security and stability?

A few years ago, information security people worried about the rogue modem that provided a back-door into the information infrastructure. Now the problem with wireless capabilities may be much bigger, because while the rogue modem probably serviced only one user at that particular workstation, the rogue Wireless Access Point in the wrong place could provide back-door access to an unknown number of potential threats.

We may also believe that the sys admins or the network guys are taking care of our information assurance needs Oh by the way, wasn t that just outsourced?

And who would possibly want to attack poor, little old me, just sitting here on my office PC, minding my own business, just doing my job, which shouldn t threaten anybody?

So one step away from what are often perceived and described as our information assurance problems , we find a collection of behaviors, roles and responsibilities, and beliefs, that all belong to somebody! And they are not all from just one part of the organization. They may very well be the entire organization!

We are constantly in contact with information and information systems, at home, at work, and at nearly every point and instance in between. We may be almost becoming oblivious to our constant use of information and interaction with systems.

We do have a variety of needs, professionally, personally, and in mixed contexts, to assure the information. When we move through and in between our business and personal lives, these assurance requirements may change.

The means of assuring information are growing in quantity, and hopefully quality, but are they growing fast enough? And do we recognize and effectively employ all the means necessary to meet the requirements?

The real problem in information assurance is that today, we may fail to realize the full context in which information present in, and used by our organization exists. We may have a lack of understanding of what the information assurance requirements are, and we may not know what the means, and roles and responsibilities to meet these requirements for information assurance are.

At the corporate, or strategic, or executive level, as a minimum level of awareness, an executive or senior manager needs to understand the relationship between these three things: context, requirements, and means. Understanding each of these as well as the relationship between them can come at the intersection of information assurance and enterprise architecture.

This chapter will focus on bringing together three emerging trends, information assurance requirements, enterprise architecture, and defense- in-depth , which in a coordinated fashion can form a framework that will provide a common understanding of information assurance requirements for specific architectural contexts, as well as the assignment of effective risk-mitigating approaches. It is vital to establish and understand the relationship between these three trends, information assurance requirements, enterprise architecture, and defense in depth measures. Understanding this relationship will enable organizations in both the corporate world and in government to maximize the effectiveness of their information assurance programs.