By Ariel Peled and Dr. Troyansky
s companies face increasing regulatory
requirements such as the Gramm-LeachBliley Act (GLBA) and Sarbanes Oxley Act
(SOXA), they must come up with policies and
procedures that help them mitigate their liabilities under these regulations. Financial institutions
and publicly traded organizations need to prevent
the tampering, inappropriate use and leakage of
financial, proprietary and non-public information
in order to meet these legislative mandates.
In this article, we will suggest the top twelve
steps that organizations should take to keep
non-public information private. We will outline
how organizations can establish and enforce
organizational policies that will help them comply with recent GLBA and SOXA regulations and
reduce their potential legal liabilities.
A
Introduction
Information assets within organizations (for
example, financial information used for balance
sheets) undergo various stages of processing, validation, reviewing, authorization and assurance
until the final version is formed and distributed.
Maintaining the confidentiality, integrity and availability of this information along the process poses
a non-trivial problem for most organizations,
which is nevertheless critical to address not only
for regulatory compliance and litigation mitigation, but also for the control and audit over the
organization’s most valuable assets.
The legal requirements imposed by the
GLBA and the SOXA add a sense of urgency.
According to the latter act, which was legislated
following the “Enron” crisis, officers, top-tier
managers and directors may be held personally
liable for misdeeds and failures of their subordinates. This legislation narrows the distinction
between organizational accountability and personal accountability. Therefore, one must
THE ISSA JOURNAL ◆ March 2004
employ the best security practices to mitigate
both organizational and personal risks.
An information flow process that maintains
confidentiality, integrity and availability can be
described as a “secure information path.” The
following framework outlines a 12-step program
that comprehensively addresses the issues of
confidentiality, integrity and availability.
Step 1: Identify and Classify
Information
An organization’s first step toward the
secure information path is a comprehensive and
structured information classification process.
The basic methodology for identification and
classification is based on defining and treating
the information as an asset of the organization—
much like a physical asset. Each information
asset should be assigned 1) a value, and 2) an
information management policy.
▲ Value: A value determines the amount of
resources that should be allocated to
assure an information asset’s confidentiality,
integrity and availability. This value should
put a monetary value on the damages,
immediate and consequential, that may
be incurred by the organization if the
asset does not remain confidential, its
integrity is breached or it is unavailable.
▲ Information Management Policy: An
information management policy determines
the asset’s usage and distribution along
the information’s lifecycle. Each information
asset should have (at least) a confidentiality
level (for example, public, confidential,
company only, etc.), an integrity level
(who is signed on it and when, who
changed it since the last signature, etc.)
and availability level. By defining these
elements in a separate Information
Management Policy Database (IMP), the
foundation for a secure corporate
information infrastructure is established.
Step 2: Study Current Processes
It is essential to understand current workflows
and business processes, both procedurally and in
practice, to see how confidential information
flows around an organization. The methods for
business processes and information flow analysis
are known, but they can be quite involved.
However, in most cases a short questionnaire that addresses several basic workflow
aspects can yield very helpful (and very often
surprising) results. Such a questionnaire should
identify for each workflow scenario:
▲ The actual participants (agents)
▲ The information assets that are received,
created, processed and distributed by
each agent
▲ The information flow: the chain of events
that consists of the originator, the action,
the subject of the action, and the
destination entity(s).
Step 3: Perform Gap Analysis
and Risk Assessment
The next step requires a careful analysis of
the difference between the defined policies and
actual behavior. Disparities by the participants,
the information assets in use and the workflows
all need to be identified.
After the gap analysis is completed, an educated risk assessment process should take
place. This assessment includes determining
potential breach scenarios, their likelihood, and
their potential impact on the organization.
©2004 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
Typical risk scenarios that should be considered in light of GLBA and SOXA
are described below:
GLBA:
▲ An employee discloses Non-Public Information (NPI) to an
unauthorized recipient by mistake (the “oops…” syndrome). This is
perhaps the most common risk, and yet the most dangerous one.
▲ An employee maliciously discloses NPI to an unauthorized recipient.
▲ An employee discloses NPI to an authorized recipient over an
unencrypted or otherwise insecure medium, possibly resulting in
interception of the NPI by an unauthorized third party.
▲ An employee discloses NPI to a supposedly authorized recipient
without proper authorization or authentication. More specifically,
the recipient may be an authorized entity but was not properly
authenticated as such.
▲ Disclosure or mishandling of account access information or of other
NPI results in unauthorized access, change, corruption or destruction
of other NPI or to unauthorized transactions and financial damage.
SOXA:
▲ An employee changes financial information without proper
authorization because the business process in effect differs from the
declared procedure.
▲ An employee discloses information regulated by the SEC (such as
filings) prior to the release date.
▲ An employee who is required for a financial report production and
authorization is left out of the authorization process because of
corporate politics.
▲ An employee who is not part of the formal business process
participates in financial information gathering for a report because
of the employee’s social relations with an authorized employee.
▲ A company regional branch’s actual business process does not
execute as defined because a small group of authorized personnel
(including the manager) are cooking the books as a result of
poor performance.
All of the scenarios above should be detected, audited and reported,
and eventually mitigated by closing the gap via appropriate policies,
procedures and technological means. Because security policy design and
implementation may be time consuming, policies need to provide sufficient flexibility for changes in your organization’s business processes.
Step 4: Appoint Information Owners and Define
Ownership Hierarchy
Appointing information owners and defining the ownership hierarchy
is absolutely critical for the success of any secure information path project.
An information asset to which no clear owner was assigned cannot be
properly handled and secured. The owners should have complete responsibility for determining and enforcing information distribution and usage
policy on their information assets. Natural candidates for ownership of a
certain information asset are either the creator of this information asset or
the person who is responsible for it. Examples of these confidential
information owners include:
▲ HR director for employee data
▲ CTO for research and patents
▲ CFO for financial reports
Nevertheless, various organizations may define different criteria for
information ownership. Although in principle the owners have the right
and the duty to define and enforce a specific usage and distribution policy
(within the limitation of the organizational policies and procedures), the
owners are, in many cases, not the information technology (IT) personnel,
and they may not be qualified to properly handle confidential information.
Therefore, in such cases, a role of custodian of the information is defined.
This role is preferably taken by a technical person, for example, a system
administrator, IT manager or an information security officer.
Just like working a budget, information ownership hierarchy is built from
the top down (with bottom-up feedback). First the general hierarchy and
framework policies are defined to make sure everyone in the organization
shares the same vision and goals. Departmental and regional hierarchies and
policies follow, and are derived from the general definition and are confined
by it. While different groups in the organization may have different security
requirements and needs, a general outline must be followed. Failing to do
so may cause, for instance, the marketing department to share customer
information with a business partner for the department’s own gain, causing
more damage than benefit to the organization as a whole.
Step 5: Authorize Content Usage and
Processing Policies
Users working with confidential or private information need to be
authorized, required and limited to perform certain tasks. These tasks can
include reading, editing, forwarding, filtering, etc. For instance, some users
can read certain documents but do not have the ability to modify them. These
user privileges need to be explicitly defined within the content usage policies.
In addition, a clear owner should be assigned to each task with reporting procedures and timelines.
Ultimately, the privilege to perform these tasks should be monitored
using a technology solution that can instantly and clearly report how users
are working with sensitive data. This visibility ensures that the organization
is in compliance with both internal and regulatory policies.
Step 6: Design Access Monitoring and
Control Paradigm
Constructing a secure information path requires educated and
methodological access control. Access control solutions manage the
flow of information between entities that request access and entities
that contain desired information. Access control serves two main purposes:
▲ Protecting against unauthorized access to organizational resources.
▲ Providing security features that control the manner in which users
and systems communicate and interact with other systems and
resources.
Access control is a well-known practice and is one of the first computer security measures ever employed. Access privileges are typically granted
on a file-by-file basis. Yet one often finds that the actual content of a file
differs from what it supposed to be. Confidential information can often
reside within files that should be restricted. It is therefore imperative to
augment file-based access control systems with content-aware technology.
©2004 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
THE ISSA JOURNAL ◆ March 2004
Step 7: Set Information
Distribution Policies
should be determined based on the risk analysis performed and the risk level of each node.
Setting a solid and manageable information
distribution policy is paramount for assuring the
required privacy, confidentiality, availability and
integrity of your confidential information. The
distribution policy imposes a set of limitations
on the distribution of an information object,
such as the authorized communication channels, authorized senders and recipients, and
restrictions and constraints in addition to those
with respect to the access and usage of any
information asset.
In addition, the distribution policy should
also include the corresponding set of requirements for action whenever a limitation of restriction is met, such as blocking, alerting, reporting,
quarantining or logging. A sound distribution
policy often has a high correlation with the file
system (or document management app., application services) access policy, and typically may
inherit many of its attributes.
In general, the policy needs to be defined
exclusively, rather than inclusively. Exclusive
polices outline which users (or entities) are
allowed to access or use which content (an
allow list, or “whitelist”). On the other hand,
inclusive policies create a restricted list or a
“blacklist.” “Blacklisting” may give rise to default
grant of access and security risks stemming from
classification failure, because each restricted
entity needs to be explicitly listed.
Step 9: Construct Audit and
Detection Program
Step 8: Create a Monitoring and
Enforcement Plan
The ability to monitor and enforce policy
adherence will be crucial to the success of the
program. Once the policies are defined, it is
essential to define and implement monitoring
and enforcement points along the path. These
control points monitor information access,
usage and traffic to verify adherence with the
security policy, and perform the actions that the
distribution policy defines for compliance and
non-compliance.
Due to the immense amount of digital information in modern organization workflows,
those control points must be both contentaware and have the ability to stop unauthorized
operations. Selection and placement of the
control points should be placed after each node
in the Secure Information Path where major
actions are taken (for example, storage devices,
applications) or information is transferred in
high quantities (for example, e-mail, Web). The
number and location of these control points
THE ISSA JOURNAL ◆ March 2004
and the envelope. It is therefore preferable to
employ a technological means that effectively
enforces the retention policy utilizing content
aware methods.
Step 10: Retention Policy
The audit program should cover all aspects
of information access, usage and distribution.
Detection rules for irregularities should be
designed together with actions to take in an
event based on its severity. The resulting analysis should be displayed in a clear and concise
manner that will highlight any unauthorized or
suspicious activity and log authorized actions.
Reporting needs to visualize both discrete
events and long-term patterns or trends. Three
levels of detection are recommended:
▲ Audit reports for authorized actions
▲ Alerts on suspicious activities
▲ Reports regarding unauthorized activity
that was blocked
New regulations (such as SOXA) place
requirements for the duration and manner of
confidential information retention. These legal
requirements often vary by sector, type of information, type of document and other factors. In
addition, it is generally required that the organization formulate and meticulously enforce a
policy for the document retention and retrieval.
When presented with a subpoena or a request
for documents from a regulatory agency or an
auditor, it is generally necessary to locate and
retrieve all related documentation in a timely
fashion. These requests can become formidable
tasks if a firm’s retention method relies on tape
backup or does not utilize a comprehensive
indexing and classification system.
In many cases, the content of the document
exists in many forms and formats, under various
file-names and in various locations (such as the
user’s hard-drives). An effective retention policy
should thus be defined in terms of the actual
content, regardless of the file-name, the format
Several laws (such as SOXA) place requirements for the length and manner of retention of
information. These requirements are often
dependent upon the sector, type of information,
type of document, and other factors. In addition,
it is generally required that the organization will
formulate and meticulously enforce a policy for
the retention of documents and document
retrieval. When presented with a subpoena or a
request for documents from a regulatory agency
or an auditor, it is generally necessary to locate
and retrieve all related documentation in a timely fashion, which can become an insurmountable task if, for example, the organization’s
retention policy consists of a tape backup, or
there is no comprehensive indexing and classification system. In addition, it is necessary for the
organization to consider the costs and liability
that stem from storage of un-required information. It is well known that in the case of litigation
or an enquiry (and indeed even before, when
the organization has a reasonable expectation
to be engaged in litigation or an enquiry), it is
necessary to cease the regular cycle of ridding
of obsolete documents that may have pertinence to the case in question. A comprehensive
retention policy must include policy for handling
an upcoming investigation or litigation.
In many cases, the content of the document exists in many forms and formats, under
various file-names and in various locations
(such as the user’s hard-drives) An effective
retention policy should thus be defined in
terms of the actual content, regardless of the
file-name, the format and the envelope. It is
therefore preferable to employ a technological
means that effectively enforces the retention
policy utilizing content aware methods.
References
▲ “Harnessing New Regulations for Business Benefit,” Ariel Peled and Lidror Troyansky,
www.vidius.com\publications\harnessingregulations.htm.
▲ Handbook of Information Security Management, Micki Krause and Harold F. Tipton, CRC
Press LLC, 1998, ISBN: 0849399475.
▲ CISSP All-in-One Exam Guide, Shon Harris and Gareth Hancock, McGraw-Hill Osborne
Media; 2nd edition 2003, ISBN: 0072229667.
©2004 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
Step 11: Plan Data Storage and Availability
Knowing where, when and how sensitive information is stored is key
to ensuring a secure information path. Storage requirements may include
access privileges to storage devices, restrictions regarding portable storage
devices (for example, laptop computers), geographic and physical locations, storage space and compression, storage format and encoding, and
storage security requirements (for example, encryption, key management,
backup and physical security).
Step 12: Implement and Deploy New Information
Security Policies
Management commitment and resource allocation are crucial for the
project to succeed. Experience has shown that the risk of project failure
and/or opposition from groups within the organization is considerably
reduced if you carry out the implementation in the three ‘P’ stages:
▲ ‘Principal’—quick and cheap. Run the process only over information
that is critical to the organization or whose security is mandatory by
law. For example, financial institutions should start by limiting the
access to customer data (social security numbers, account numbers,
etc.) only to authorized personnel. In addition, these financial
institutions can use a basic usage audit and limit the distribution
(for example, e-mail, Web-mail) of the data to internal recipients
within the organization, blocking attempts to send it outside.
▲ ‘Pareto’—covers important proprietary and confidential information
and business processes with medium or low change frequency.
Implementation of the applicable conditional access and usage
control rules can be resource-consuming. You can reduce these
costs by using content-aware technologies instead of building
customized security controls per application screen.
▲ ‘Progressive’—comprehensive, ongoing review of all major
information assets and business processes with update milestones.
Most companies will not reach that stage as it incurs considerable
costs. Nevertheless, this stage is of high importance for government
agencies and commercial organizations with extremely valuable
proprietary information assets.
Conclusion
Information assets are the fundamentals of business today. Their
secure management is crucial not only for regulatory compliance, but also
for a much tighter control over business processes. In the future we will
likely see increased effort and progress in that course, driven either by legislatures or business. The 12 steps in this article supply a structural, discrete
and measurable process to achieve this goal. ¡
Ariel Peled is the CTO of Vidius, Inc. and the president of the ISSA Israeli Chapter.
He holds a BSc degree in computer engineering from the Technion, Israel. While
at Microsoft, he had a prominent role in the development of one of Windows
NT’s subsystems and later on, lead the development of several military projects.
Dr. Troyansky currently serves as the chief scientist of Vidius, Inc. He holds a
Ph.D. degree in computational neuroscience from the Hebrew University
and is involved in computer security research since 2000. He also led the
development of several military projects.
©2004 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
THE ISSA JOURNAL ◆ March 2004