Challenges in Information Security Protection Teresa Pereira, Henrique Santos Polytechnic Institute of Viana do Castelo, Viana do Castelo, Portugal University of Minho, Guimarães, Portugal tpereira@esce.ipvc.pt hsantos@dsi.uminho.pt Abstract: Security is a topic that is gaining more and more interest by organizations and government agencies. The amount of data which organizations daily have to deal with, the increasing number of on-line transactions and the lack of computer security awareness are greater motivations not only to exploit software vulnerabilities but to exploit human vulnerabilities. In general, users tend to accept new technologies with complete disregard of their security vulnerabilities, if they get sufficient benefits from them. Fostering and continuously encourage a security culture and recognizing that people still are, and will always be the weakest link, will certainly assist organizations to achieve their adequate levels of security and thus becoming closer to their business goals. Moreover, monitoring and early detection also play an important role, as it enables organizations and governmental agencies to react more quickly to events that are harder to find and understand, from the security management point of view. The rapid response to the security events and the establishment of preventive actions to manage security are starting to become a competitive strategy to organizations. In this paper we highlight some information security concepts and principles, to deliver actionable information for decision makers for managing their corporate assets and ensure their resilience. Keywords: Information security, information security management, security standards, security methodologies. 1. Introduction The proliferation of the internet-based applications has changed the way organizations conduct their businesses. Organizations are deeply interested in finding new technological initiatives at low operating cost, in order to offer better and innovative services and thus gain competitive advantage. However, with increasing reliance on technology to gain competitive advantage, information security is and has been one of the most critical and challenging requirement for conducting successful business. In fact, the new technological solutions always carry vulnerabilities, which most of time reveal unexpected security risks. In this context, organizations should identify, implement, monitoring and evaluate the most effective set of controls, to provide an adequate level of security. The security standards ISO/IEC_JTC1 (International Organization for Standardization/International Electrotechnical Commission_Joint Technical Committee and NIST (National Institute of Standards and Technology) are an important reference in the security information domain, and in general, organizations define their security program in alignment with the international security standards. However, these standards have an informative nature, lacking practical information, and relying on the interpretation of the security expert, mostly based on their experience and perception about security. The security standards ISO/IEC 27002 and the NIST 800-100 provide documented information to assist users to understand their computer security need, and thus enable them to select the appropriate controls, from a wide list of existing controls. However, these standards neither provide directives nor procedures or recommendations toward the implementation of security actions, but rather promotes a more or less arbitrary designed by practitioners in an individual basis, lacking any possibility of performance comparison. In this paper it is highlighted some information security concepts and principles, to deliver actionable information for decision makers for managing their corporate assets and ensure their resilience. This paper is structured as follows: in section 2, it is introduced the current challenges in information security; in section 3, it is presented an overview of the international security standards, and security methodology approaches; in section 4 it is presented some considerations regarding the implementation of security controls/policies; conclusions are presented in section 5. 2. Current challenges for organizational Information Security Nowadays, organizations have to deal with various information security risks. Terrorist attacks, fires, floods, earthquakes and other disaster can destroy information processing facilities and critical documents. Theft and loss of organizational information can cause serious impacts on businesses’ reputation, profitability, customer confidence and overall economic growth. For example, a security flaw such as the leakage of credit card

information, can have negative results to a card payment companies due to the cancellation and re-issuing of compromised cards. Certainly this is costly, with high impacts on the organizations’ reputation and customer confidence. In fact, one of the fastest growing information crimes is identity theft, including customer data lost by organizations that were responsible for managing it. Such incidents have emerged from all over the world, and have resulted in the introduction of rigorous national and international data protection laws in many countries, which require organizations to protect the personal information of stakeholders. Therefore, it is very important for organizations to develop efforts to ensure their ability to securely protect their information assets and IT infrastructure. For this reason the adequate implementation of the security controls are crucial to organizations, in order to ensure their business continuity, as well as monitoring and evaluating their efficiency. Usually organizations proceed with identification and selection of the security controls according to their business needs and the associated security requirements. This security requirement should be clearly defined in the information security policy and the security policy dictate the set of controls that will provide the required protection. Additionally, to verify if the implemented controls meet the information security requirements, the evaluation and certification should be the following step. Actually, it has been noticed an increasing number of organizations seeking to obtain security certification. Certification enables organizations to comply with increasing demands from financial institutions and insurance companies for security audits. Moreover, it promotes trust in an organizations’ capacity to implement appropriate security controls to manage and protect confidential client and business information. Additionally, the monitoring and evaluation of the implemented controls are crucial in order to find out if they are performing as expected, i.e., controls are in place, are designed appropriately, are operating effectively, and are monitored regularly, in an effort to reduce risk exposure. Currently, there a number of practical and deployable approaches, including a variety of globally recognized international standards and security methodologies, which can assist organizations to effectively and efficiently manage information security. In the following section will be presented an overview of these approaches. 3. Practical approaches for organizational information security management OU Recognized international security standards and methodologies OU International security standards and security methodologies Nowadays there are security standards and methodologies available to assist organizations to manage information security. To effectively create a solid structure for an information security program, organizations need to analyse and implement their methodology in alignment with either of the following international standards and methodologies. 3.1 ISO 27002 – Information technology – Security techniques – Code of practice for information security management ISO 27002 is part of the ISO/IEC 27000 family of standards. It is an information security standard published by ISO/IEC, entitled Information technology – Security techniques – Code of practice for information security management. ISO/IEC 27002 is an advisory document, to define the requirements for initiating, implementing, maintaining and improving information security management practice, in order to promote confidence in inter-organizational information collaboration. The ISO 27001 replaced the BS7799-2 standard, which was primarily published as a code of practices. As this matured, a second part emerged to formally cover security management system. The ISO 27001 is harmonized with other standards. In fact, ISO 27001 is a formal specification that uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS (Information Security Management System). However, since ISO/IEC 27002 is a code of practice or guideline, rather then a certification standard, organizations are free to select and implement the controls, according to their control objectives, which should reflect the organizational security requirements. Implementing ISO/IEC 27002 involves a cost-effective plan that includes appropriate security controls for mitigating identified risks and protecting the confidentiality, integrity and availability of an organization’s information assets. It also involves ongoing monitoring to ensure that these controls remain effective (Saint-Germain, 2005). The standard comprises eleven information security controls and seeks to address security compliance at all levels: managerial, organizational, legal, operational and technical. It specifies 35 control objectives, consisting of general statements of security goals for each eleven domains. The standard also includes 114 controls that identify specific means for meeting the control objectives. The ISO/IEC 27002 security domains are (ISO/IEC 27002, 2009):

1. Security policy – demonstrate management commitment to, and support for information security. 2. Organization of information security – develop a structure for the coordination and management of

information security in the organization. Assign information security responsibility.

3. Asset management – perform an inventory and classification of all critical or sensitive information assets.

4. Human resources security – manage the security aspects related to employees, in order to reduce the risk of error, theft, fraud, or misuse of computer resources by promoting user training and awareness regarding the risks and threats to information.

5. Physical and environment security – protect the information processing facilities, in order to prevent unauthorized access.

6. Communications and operations management – manage technical security controls in systems and networks, in order to reduce the risk of failure and its consequences and develop incident response procedures.

7. Access control – restriction of access rights to networks, systems, applications, functions and data in order to detect unauthorized activities.

8. Information systems acquisition, development and maintenance – prevent the loss, modification, or misuse of information in operating systems and application software.

9. Information security incident management – responding appropriately to information an security breach that was exploited by an attacker.

10. Business continuity management – develop the organization’s capacity to react rapidly to the interruption of critical activities resulting from failures, incidents, natural disasters or catastrophes.

11. Compliance – Ensure that all laws and regulations are in conformance with information security policies, standards, laws and regulations.

3.2 NIST – National Institute of Standards and Technology NIST is an organization from Computer Security Resources Center of the United States of America that provides several documents regarding security. Within the series of publication proposed by NIST, the 800-series encompass several aspects about computer security. Two of NIST's related documents are special publication 800-100, the Information Security Handbook: A Guide for Managers, and the special publication 800-53 - Recommended Security Controls for Federal Information Systems. NIST approach rely on providing documented information to assist users to understand their computer security needs and come up with the selection of appropriate controls and get compliant with FISMA (Federal Information Security Management Act). FISMA is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act (EGA) of 2002. FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires official’ programs, and the head of each agency to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. NIST outlines 9 steps toward compliance with FISMA (Rouse, 2013):

1. Categorize the information to be protected. 2. Select minimum baseline controls. 3. Refine controls using a risk assessment procedure. 4. Document the controls in the system security plan. 5. Implement security controls in appropriate information systems. 6. Assess the effectiveness of the security controls once they have been implemented. 7. Determine agency-level risk to the mission or business case. 8. Authorize the information system for processing.

Although FISMA is designed to federal agencies, these practices can be adapted easily to private institutions. Actually, NIST comprise a set of publications to support organizations to structure their information security programs. These documents supports security practitioner, to compare the proposed security guidelines with what currently exists in an organization and therefore help them to identify problems that demand critical attention. The Information Security Handbook (800-100) attempts to define all of the considerations required to protect information. It treats terms such as governance, systems development life cycles, security assessments, risk management, incident response and many others in detail. The NIST 800-100 has affinities with ISO 27001/2 concerning the scope and definition of an information security program. NIST SP 800-53 - NIST Special Publications 800-53 Recommended Security Controls for Federal Information Systems and Organizations - comprises a selection of security controls for executive federal agencies (NIST 2009). The recommended security controls documented in NIST 800-53, takes NIST 800-100 to a more practical level, through the definition of the scope of the security controls, and thus the selection of the adequate controls

that should be implemented. However the NIST 800-53 don’t provide the context in which the controls should be applied, nor provide detailed implementation procedures for security controls, or detailed steps necessary to implement a computer security program. The lack of this document is a directive concerning what should be implemented and how. Instead, provide an extent-documented list of the existing controls, enabling to assist practitioners to understand their computer security needs and come up with the selection of appropriate controls. In fact, this is the major constraint concerning the practical application of the security standards (Pereira, 2012). 3.3 OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation OCTAVE is a process-driven methodology used for risk-based information security strategic assessment and planning. It helps organizations to identify, prioritize and manage information security risks. The OCTAVE approach was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in 2001 to address the information security compliance challenges faced by the US Department of Defence. It is intended to assist organizations to (Alberts et al, 2001):

Develop qualitative risk evaluation criteria based on operational risk tolerances; Identify assets that are critical to the mission of the organization; Identify vulnerabilities and threats to the critical assets; Determine and evaluate potential consequences to the organization if threats are accomplished; Initiate corrective actions to mitigate risks and create practice-based protection strategy.

OCTAVE works in three phases:

Phase 1: Build Asset-Based Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans

The overall approach of OCTAVE relies upon the creation of three catalogs of information: catalog of practices, threat profile and catalog of vulnerabilities. These catalogs then create the baseline for the organization. Regarding the evaluation process, the OCTAVE approach is formally defined in a catalog of practices, intended to assist organizations to create a protection strategy and to develop actions for the risk mitigation plans. This catalog is divided into two types of practices – strategic and operational. The strategic practices focus on organizational issues at the policy level and provide general management practices. While the operational practices focus on the technology-related issues dealing with how people use, interact with, and protect technology. Since strategic practices are based on good management practice, it is suggested that they remain stable over time. While operational practices are more subject to changes inherent to technology advances and new or updated practices should be performed in a continuously base, to support organizations to deal with those changes. In conclusion, catalog of practices intend to assist organizations to determine which specific practices are currently working well with respect to security (its current practices) and what specific weaknesses with current security practices (its organizational vulnerabilities (Alberts et al, 2001). The strategic practice areas proposed by OCTAVE are following briefly described (Alberts et al, 2001):

1. Security Awareness and Training – understand how information security practice is enhanced through training and education.

2. Security Strategy – focuses on the integration of information security issues into the business strategy of the organization.

3. Security Management – defines information security roles and responsibilities as well as management’s support for information security activities.

4. Security Policies and Regulations – addresses the organizational and management direction for information security, including the complied regulations. This area also deals with the staff’s understanding of policies and enforcement of policies.

5. Collaborative Security Management – comprise the establishment of good practices when working with third parties (contractors, Internet service providers, managed service providers, partners, etc.).

6. Contingency Planning/Disaster Recovery – addresses plans to counteract disruptions in business activities and in systems and networks.

The operational practice areas proposed by OCTAVE are following identified (Alberts et al, 2001):

1. Physical Security – comprises the physical security plans and procedures; Physical access control; monitoring and auditing physical security.

2. Information Technology Security – comprise several areas, namely: (1) system and network management; (2) system administration tools; (3) monitoring and auditing IT security; (4) authentication and authorization; (5) vulnerability management; (6) encryption; (7) security architecture and design.

3. Staff Security – comprise incident management and general staff practices.

OCTAVE is a comprehensive, systematic, context driven and self-directed approach, based on people knowledge. It requires the involvement of people at all levels of an organization to work together and provide inputs to identify and understand their security risks and make the right decisions about mitigation and protection. Due to its self-directed nature, the security controls implementation is highly dependent on the security experts’ interpretations of the methodology adopted, and therefore, decide according to their experience and security perception about security, which might leave overlooked flaws in the organization’s information security management. The essential of this approach is basically addressed by security risks analysis of the assets, and based on the assigned risk, it is defined the security requirements. In fact, the risk assessment play a crucial role in identifying potential threats to the organization and provide a perfect opportunity to implement effective controls to protect critical processes and assets. A constraint of the OCTAVE approach lies on the absence of directives for assessing and mitigating security risks. The evaluation is a process managed on the conduction of analysis workshops, to gather information and make decisions. 3.4 Other methodologies The previous security standards and methodologies are unarguable reference in the security management domain. However there are a number of public and semi-public institutions, which provide best practices to manage security protection such as:

Information Security Forum (ISF) (https://www.securityforum.org) provides a publication titled “Standard of Good Practice”, which outlines information security best practices.

Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University (http://www.cert.org/). CERT/CC provides detailed and specific assistance on how to implement a security methodology.

Information Systems Audit and Control Association (http://www.isaca.org) organize several seminars and classes of best practices.

The International Association of Professional Security Consultants (http://www.iapsc.org/) and the Global Grid Forum (http://www.ogf.org/) provide a list of best practices.

The portal SearchSecurity.com (http://searchsecurity.techtarget.com/) and NIST’s Computer Resources Center (http://csrc.nist.gov/) are booth free portals dedicated to security which include collections of best practices.

3.5 Summing-up This crosswalk on security standards and methodologies demonstrate some affinities according to their shared subject matter and focus, and can help organizations align adequate security practices, according to their security business requirements. A large part of effective security practice is reaching a common level of proficiency, since patching systems in a timely way and configuring them in a secure manner increases the likelihood that an organization will remain secure. The adoption of security standards and methodologies enables organizations to build client and partner trust in their capacity to secure their information assets and ensure business continuity. The implementation of security controls, enables organizations demonstrate their commitment to secure information assets and to ensure confidentiality of customer information. They also provide their business partners and clients with greater confidence in their capacity to prevent and rapidly recover from any interruptions to production or service levels. It is becoming clear, however, that to address all aspects of security, organizations should implement a comprehensive approach using a methodological security standard. In reality, the standards are primarily intended for Governments, military and financial institutions, but they can be adopted in other contexts. NIST as well as ISO/IEC 27001 have put forth standards and guidelines intended to provide a level of protection for information resources. Moreover, OCTAVE follows a different approach from the standards presented above. OCTVAVE proposes a catalog of practices scoped into strategic and operational context, with large involvement of organizational staff. But is this approach practicable in huge organizations? Once again, isn’t security highly dependent on the peoples’ perceptions about security and their interpretations of the standard or methodology adopted? Can all the procedures be applicable to all organization? Certainly not, but a lot will be, since despite the different

methodologies and approaches proposed by each standard and security methodologies, they all share a lot of concepts and guidance to security protection. 4. Considerations regarding the implementation of security policies In the previous section, it was briefly presented the most widely referenced security standards scoped in the implementation of the security good practices. It is undoubted the importance of these standards to create a solid foundation for an information security program. However, there are several enhancements needed, especially due to the changeable nature of this domain. Notwithstanding their importance, the standards are usually subject of revisions every five years, which sometimes can result inaccurate response. Moreover, despite the constraints of OCTAVE methodology, previously mentioned, it provides a more practical approach. It is driven on the asset’s analysis risk, which clearly defines a realistic target-state for an information security program. The target security state will vary from one organization to another, however, in general, a target-state can be described as successfully satisfying information security requirements of critical processes and critical assets. It should be noted that establishing the target security state for any organization, regardless their business activity, is an extremely complex activity, as an organization’s security expectations and requirements are often dynamic in nature. Therefore, this dynamic target-state shows more than ever, that organizations need to be agile, responsive, flexible and dynamic when they are establishing their security objectives and especially when they are conducted by an overall need for continuous improvement. In fact, ongoing risk analysis is an approach that will certainly influence the decision of what controls should be implemented to protect the critical processes and assets. Moreover, the organizational processes within a given business activity is accomplished by a specific objective which in the end is aligned to the organization’s mission and objectives. In the case of critical processes, their objective is much more important as they mainly contribute towards the achievement of organizational operations. Concerning the organizational assets, they usually configure a set of items, with huge importance or value to the organizations, which may result in many forms, such as corporate policies, procedures, human resources, applications, or even information. The most critical assets from an information security perspective are those that are required by critical processes (ISO/IEC 17799:2000/270002:2005). In practice, when a business process is operating as expected, it is contributing to the organizational’ objectives, and it also guarantee reasonable level of assurance, regarding its effective execution. For an organizational information security program be effective, it is required to address the analysis and resolution of information security events. Audits, statistics analysis, log analysis and performance metrics provide valuable information to assist in the evaluation and monitoring of events and potential asset’s vulnerabilities. This data can then be used in the validation of a security program or even forensic analysis resulted from a security incident or critical breach. The information security incident management procedure should be explicitly documented and all employees, contractors and third-parties should be educated in its requirements and their associated responsibilities (ISO/IEC 17799:2002/27002:2005). Additionally, the analysis and measure of the effectiveness of information security also provides valuable inputs to the organization, in spite of being very complex and an extremely difficult process. In reality, it contributes to ensure that the decision managers have a detailed understanding of which assets are most valuable to them, and if those assets have been allocate to an appropriate level of classification based on roles/responsibility, and criticality of the asset relative to prioritized level. It is recommended the documentation of the implemented policies, in a simple, standardized and structured form, but also provide the appropriate training on information security policy to all personnel within the organization, aligning their functional roles and the organization’s security expectations. Almost all security standards and methodologies, law and regulations require organizations to educate their personnel, as part of the overall policy and security awareness. Fostering and continuously conduct a security culture and recognizing it as one of the single most critical core competencies within an organization, will almost certainly assist any organization in becoming closer to their business goals. 5. In conclusion In general, to address all aspects of security, organizations first determine their primary security objectives then implement adequate methods to formalize and validate their management and finally develop procedures to achieve their objectives. In practice, a security program protection is much more than this and requires the involvement of several variables. The security standards and methodologies enable to create a solid foundation for an information security program. It is evidenced that most of the organizations analyse and implement their security programs in alignment either with the international security standards and methodologies. In reality, the adoption of security standards and methodologies enables organizations to build

client and partner trust, proving their capacity to secure their information assets and ensure business continuity. For example, organizations with a committed clients and an established partner network, need to demonstrate to their partners, stakeholders, and clients that they have identified and measured their security risks and implemented a security policy and controls that will mitigate these risks. It is undoubted the importance of the security standards. However and although the security standards provide a wide list of controls, they don’t give support or provide recommendations about how to perform security functions defined, as well as the procedures to perform evaluation of the implemented controls. These processes are more or less arbitrary designed by practitioners in an individual bases, lacking any possibility of performance comparison. However a clear message is passed by both standards: security is a broad and complex discipline that requires a lot of cooperation throughout the entire organization. Acknowledgement This work has been supported by FCT – Fundacao para a Ciencia e Tecnologia within the Project Scope: PEst-OE/EEI/UI0319/2014 References Alberts, C., Dorofee, A., Allen, J., 2001. OCTAVESM Catalog of Practices, Version 2.0. Technical Report CMU/SEI-2001-TR-020 ESC-TR-2001-020. Available from: www.cert.org/archive/pdf/01tr020.pdf [Accessed October 2011]. ISO/IEC, 2009. ISO/IEC 2nd WD 27002 (revision) - Information technology - Security techniques – Code of practice for information security management. ISO copyright office: Geneva, Switzerland. Available from: http://www.iso.org [Accessed September, 2010].

NIST, 2009. SP 800-53: National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations [on-line], February 2005. Available from: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf. [Accessed November,12 2011]. NIST, 2006. SP 800-100: National Institute of Standards and Technology Special Publication 800-100, Information Security Handbook: A Guide for Managers. Recommendations of the National Institute of Standards and Technology, [on-line], October 2006. Available from: http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf [Accessed November, 12 2011]. Pereira, T., “Conceptual Framework to Support Information Security Risk Management”. Ph.D thesis, University of Minho, 2012. Rouse, M. (2013) “Federal Information Security Management Act (FISMA)”, [on-line], TechTarget, May 2013. Available from: http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act. Saint-Germain, R. (2005) “Information Security Management Best Practice Based on ISO/IEC 17799”, The Information Management Journal, pp 60-66.