Systemic security management:: the ICIIP model

I don't know about you but models have intrigued me ever since I was a kid playing with Meccano and Lego. There's something fascinating about the structure and relationships making the whole thing greater than the sum of its parts. So when I heard about a new model linking people, process, technology and organizational design/strategy in the context of information security, I couldn't resist a look.



A PDF presentation of the ICIIP model gets off to a good start, representing it as a nice symmetrical three-dimensional tetrahedron rather than so many other flat two-dimensional tabular models. It even has information labels on the six connections (described as "tensions") between the four nodes as well as on the nodes themselves. The tensions are governance, architecture, culture, human factors, enabling and support, and 'emergence' (representing the inherent complexity and emergent properties of any organizational system).

Digging a bit deeper, authors Laree Kiely and Terry Benzel explain slide-by-slide the labels on the model. In each case they outline what they mean by the labels, fair enough, and then follow up with 'recommendations' ... and here I start to wonder how they came up with the specific recommendations. The authors' previous works are cited but not properly referenced in the paper, so readers are left guessing.

For example, their recommendations for the governance tension are as follows:

• Understand the criticality of security issues
• A different attitude regarding governance role and duties
• Emergent, cross-industry communities of interest and communities of practice who could develop standards
• New security knowledge and criteria for CEO selection, performance review, and compensation
• Require development and education for Boards and C-Suite as part of new self-regulating standards
• Criteria implemented corporation-by-corporation
• Hold vendors and suppliers accountable for implementing these standards/criteria

Standards, education and accountability seem reasonable if not exactly Earth shattering proposals, but why did they pick these out and how do they relate to the management of information security.

There's a lot missing from the presentation slides (such as how the "tensions" relate to the nodes) which, presumably, the authors fill-in when presenting. However, there are several other materials from Dr. Kiely and Benzel on the USC Marshall website which I shall enjoy exploring at my leisure.

New awareness module on infosec governance

The field of corporate governance exploded onto management’s agenda following Enron’s collapse in 2000/2001 and the introduction of SOX (Sarbanes Oxley Act) in 2002. There has been some public discussion of IT governance since then but information security governance is still emerging from the murk.

In August's security awareness module we expand on what ‘governance’ means and how it relates to information security in particular. It affects our target audiences (staff, managers and IT professionals) differently so we explain the implications in practical terms, covering the essential elements that everyone should comprehend.

You may have seen the recent news about the arrest of a network administrator in San Francisco. As reported, the accused (Terry Childs) was solely responsible for designing, operating and securing the city government’s network. He allegedly refused to disclose the network admin passwords at first, preventing others from managing the network in his absence. While it’s far too early to determine whether there is any truth behind the allegations, the story has fascinating governance implications that find their way into a case study and the latest newsletter.

SQL as an audit tool

Mike Blakley wrote a fine piece in EDPACS on using SQL queries to interrogate a database system for audit purposes.

Abstract:

"Organizations, both large and small, are increasingly reliant on database systems for their operational support needs. This is due to the adoption of accounting systems ranging from large enterprise resource planning systems, down to departmental or even desktop-based database systems. The traditional audit approach used to account for data stored in databases has relied on information technology or other support staff to extract data for audit, which was then tested by others, often technical specialists. An alternative approach, which also provides greater audit independence, is to increase the knowledge level and skills of audit staff so they can obtain this data directly and perform their audit tests independently. This article may have relevance to other IT system audits."

In the same issue, Fred Cohen discusses the specification of control requirements for [real-time process] control systems and SCADA, an area that relatively few information security managers and IT auditors have experienced. I have had some exposure to this at power generation and engineering companies but admit I know next to nothing about it. Having seen conference presentations on "exploring" SCADA networks and Building Management Systems, I'm sure these are targets for curious hackers who relish the challenge of understanding obscure comms protocols and exploiting inadequate security controls. Fred's comments about the ever-deepening Internet connectedness of such networks and the historical lack of attention to security ring very true. I often wonder what fun would lay in store for hackers with access to the networks and devices, perhaps exploiting the numerous wireless command and control systems out there. Let's hope they are responsible enough to use their powers for good not evil.

All in all, another excellent issue. [The fact that I'm one of many on the EDPACS editorial board is purely coincidental, of course!]